src/libcharon/plugins/stroke/stroke_ca.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix ftbfs with gcc 4.6

src/_copyright/_copyright.8 | 29 29 + 0 - 0 !
src/libcharon/plugins/maemo/org.strongswan.charon.service | 4 4 + 0 - 0 !
src/libcharon/plugins/stroke/stroke_shared_key.c | 140 140 + 0 - 0 !
src/libcharon/plugins/stroke/stroke_shared_key.h | 60 60 + 0 - 0 !
src/libcharon/tnccs/tnccs.c | 22 22 + 0 - 0 !
src/libcharon/tnccs/tnccs.h | 52 52 + 0 - 0 !
src/libcharon/tnccs/tnccs_manager.c | 148 148 + 0 - 0 !
src/libcharon/tnccs/tnccs_manager.h | 74 74 + 0 - 0 !
src/libfreeswan/atosa.3 | 217 217 + 0 - 0 !
src/libfreeswan/atosa.c | 198 198 + 0 - 0 !
src/libfreeswan/keyblobtoid.3 | 102 102 + 0 - 0 !
src/libfreeswan/keyblobtoid.c | 146 146 + 0 - 0 !
src/libfreeswan/prng.3 | 120 120 + 0 - 0 !
src/libfreeswan/prng.c | 200 200 + 0 - 0 !
src/libfreeswan/satoa.c | 100 100 + 0 - 0 !
src/libstrongswan/credentials/certificates/x509.c | 28 28 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-block/description.txt | 8 8 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-block/evaltest.dat | 12 12 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.conf | 23 23 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.secrets | 3 3 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/strongswan.conf | 6 6 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc/dummyimc.file | 1 1 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc_config | 3 3 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.conf | 23 23 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.secrets | 3 3 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/strongswan.conf | 6 6 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc/dummyimc.file | 1 1 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc_config | 3 3 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.conf | 26 26 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.secrets | 6 6 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/strongswan.conf | 13 13 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/tnc_config | 3 3 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-block/posttest.dat | 6 6 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-block/pretest.dat | 15 15 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-block/test.conf | 26 26 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius-block/description.txt | 11 11 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius-block/evaltest.dat | 14 14 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/clients.conf | 4 4 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary | 2 2 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary.tnc | 5 5 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/eap.conf | 25 25 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/proxy.conf | 5 5 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/radiusd.conf | 120 120 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/default | 44 44 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel | 32 32 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second | 23 23 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/users | 2 2 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/tnc_config | 3 3 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.conf | 24 24 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.secrets | 3 3 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/strongswan.conf | 6 6 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc/dummyimc.file | 1 1 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc_config | 3 3 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.conf | 24 24 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.secrets | 3 3 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/strongswan.conf | 6 6 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc/dummyimc.file | 1 1 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc_config | 3 3 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/init.d/iptables | 84 84 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.conf | 25 25 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.secrets | 3 3 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/strongswan.conf | 12 12 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius-block/posttest.dat | 8 8 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius-block/pretest.dat | 15 15 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius-block/test.conf | 26 26 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius/description.txt | 10 10 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat | 19 19 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/clients.conf | 4 4 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary | 2 2 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary.tnc | 5 5 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/eap.conf | 25 25 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/proxy.conf | 5 5 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/radiusd.conf | 120 120 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/default | 44 44 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel | 32 32 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second | 36 36 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/users | 2 2 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/tnc_config | 3 3 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.conf | 24 24 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.secrets | 3 3 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/strongswan.conf | 6 6 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc/dummyimc.file | 1 1 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc_config | 3 3 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.conf | 24 24 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets | 3 3 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/strongswan.conf | 6 6 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc/dummyimc.file | 1 1 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc_config | 3 3 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/init.d/iptables | 84 84 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf | 35 35 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.secrets | 3 3 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/strongswan.conf | 13 13 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat | 8 8 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat | 18 18 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-radius/test.conf | 26 26 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-tls/description.txt | 7 7 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-tls/evaltest.dat | 19 19 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/ipsec.conf | 24 24 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/strongswan.conf | 6 6 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc/dummyimc.file | 1 1 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc_config | 3 3 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/ipsec.conf | 24 24 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/strongswan.conf | 6 6 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc/dummyimc.file | 1 1 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc_config | 3 3 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.conf | 36 36 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.secrets | 6 6 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/strongswan.conf | 13 13 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/tnc_config | 3 3 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-tls/posttest.dat | 6 6 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-tls/pretest.dat | 15 15 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc-tls/test.conf | 26 26 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc/description.txt | 9 9 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc/evaltest.dat | 19 19 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.conf | 23 23 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.secrets | 3 3 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/strongswan.conf | 6 6 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc/dummyimc.file | 1 1 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc_config | 3 3 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.conf | 23 23 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.secrets | 3 3 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/strongswan.conf | 6 6 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc/dummyimc.file | 1 1 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc_config | 3 3 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.conf | 36 36 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.secrets | 6 6 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/strongswan.conf | 13 13 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/tnc_config | 3 3 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc/posttest.dat | 6 6 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc/pretest.dat | 15 15 + 0 - 0 !
testing/tests/ikev2/rw-eap-tnc/test.conf | 26 26 + 0 - 0 !
131 files changed, 3336 insertions(+)

 upstream changes introduced in version 4.5.2-1.1
 This patch has been created by dpkg-source during the package build.
 Here's the last changelog entry, hopefully it gives details on why
 those changes were made:
 .
 strongswan (4.5.2-1.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * debian/strongswan-starter.ipsec.init: Init script should depends on
     remote_fs instead of local_fs, also provide ipsec instead of vpn as
     the other ipsec implementations (Closes: #629675)
   * debian/patches/0001-fix-fprintf-format.patch: Fix FTBFS with gcc 4.6,
     taken from upstream (Closes: #614486)
   * debian/control: Tighten dependency version against libstrongswan
     (Closes: #626170)
   * debian/strongswan-starter.lintian-overrides, debian/rules:
     Correctly set restricted permissions on /etc/ipsec.d/private/
     and /var/lib/strongswan (Closes: #598827)
 .
 The person named in the Author field signed this changelog entry.

src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] fix boolean return value if an empty rsa signature is
 detected in gmp plugin

src/libhydra/plugins/resolve/resolve_handler.c | 201 149 + 52 - 0 !
1 file changed, 149 insertions(+), 52 deletions(-)

 [patch] added support for the resolvconf framework in resolve plugin.

If /sbin/resolvconf is found nameservers are not written directly to
/etc/resolv.conf but instead resolvconf is invoked.

src/libstrongswan/plugins/openssl/openssl_ec_public_key.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 check return value of ecdsa_verify() correctly

src/libstrongswan/utils/identification.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] identification: properly check length before comparing for
 binary DN equality

Fixes CVE-2013-6075.

src/libcharon/sa/task_manager.c | 9 9 + 0 - 0 !
1 file changed, 9 insertions(+)

 [patch] ikev2: reject create_child_sa exchange on unestablished
 IKE_SAs

Prevents a responder peer to trick us into established state by starting
IKE_SA rekeying before the IKE_SA has been authenticated during IKE_AUTH.

Fixes CVE-2014-2338 for 4.4.x, 4.5.x and 4.6.x versions of strongSwan.

src/libstrongswan/asn1/asn1.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] asn1: properly check length in asn1_unwrap()

Fixes CVE-2014-2891 in strongSwan releases 4.3.3-5.1.1.

src/libstrongswan/crypto/diffie_hellman.c | 5 3 + 2 - 0 !
src/libstrongswan/crypto/diffie_hellman.h | 5 3 + 2 - 0 !
2 files changed, 6 insertions(+), 4 deletions(-)

 [patch] crypto: define modp_custom outside of ike dh range

Before this fix it was possible to crash charon with an IKE_SA_INIT
message containing a KE payload with DH group MODP_CUSTOM(1025).
Defining MODP_CUSTOM outside of the two byte IKE DH identifier range
prevents it from getting negotiated.

Fixes CVE-2014-9221 in versions before 4.5.4.

src/libstrongswan/plugins/gcrypt/gcrypt_dh.c | 2 1 + 1 - 0 !
src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c | 2 1 + 1 - 0 !
src/libstrongswan/plugins/openssl/openssl_diffie_hellman.c | 2 1 + 1 - 0 !
src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c | 2 1 + 1 - 0 !
4 files changed, 4 insertions(+), 4 deletions(-)

---

src/libcharon/sa/tasks/ike_auth.c | 44 44 + 0 - 0 !
1 file changed, 44 insertions(+)

 [patch] ikev2: enforce remote authentication config before proceeding
 with own authentication

Previously the constraints in the authentication configuration of an
initiator were enforced only after all authentication rounds were
complete.  This posed a problem if an initiator used EAP or PSK
authentication while the responder was authenticated with a certificate
and if a rogue server was able to authenticate itself with a valid
certificate issued by any CA the initiator trusted.

Because any constraints for the responder's identity (rightid) or other
aspects of the authentication (e.g. rightca) the initiator had were not
enforced until the initiator itself finished its authentication such a rogue
responder was able to acquire usernames and password hashes from the client.
And if a client supported EAP-GTC it was even possible to trick it into
sending plaintext passwords.

This patch enforces the configured constraints right after the responder's
authentication successfully finished for each round and before the initiator
starts with its own authentication.

Fixes CVE-2015-4171.

src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | 6 5 + 1 - 0 !
1 file changed, 5 insertions(+), 1 deletion(-)

 [patch] eap-mschapv2: only succeed authentication if msk was
 established

An MSK is only established if the client successfully authenticated
itself and only then must we accept an MSCHAPV2_SUCCESS message.

Fixes CVE-2015-8023