strongswan: update to 5.9.13 (#740)

2025-05-02 10:02:24 +08:00 · 2023-12-21 18:20:17 +08:00 · 2023-12-21 18:20:17 +08:00 · 00242d67b9
commit 00242d67b9
parent a6bbc6b2f8
6 changed files with 206 additions and 121 deletions
--- a/net/strongswan/Makefile
+++ b/net/strongswan/Makefile
@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=strongswan
-PKG_VERSION:=5.9.5
+PKG_VERSION:=5.9.13
 PKG_RELEASE:=$(AUTORELEASE)

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=https://download.strongswan.org/ https://download2.strongswan.org/
-PKG_HASH:=983e4ef4a4c6c9d69f5fe6707c7fe0b2b9a9291943bbf4e008faab6bf91c0bdd
+PKG_HASH:=56e30effb578fd9426d8457e3b76c8c3728cd8a5589594b55649b2719308ba55
 PKG_LICENSE:=GPL-2.0-or-later
 PKG_MAINTAINER:=Philip Prindeville <philipp@redfish-solutions.com>, Noel Kuntze <noel.kuntze@thermi.consulting>
 PKG_CPE_ID:=cpe:/a:strongswan:strongswan
--- a/net/strongswan/files/swanctl.init
+++ b/net/strongswan/files/swanctl.init
@ -63,9 +63,12 @@ file_reset() {

 xappend() {
 	local file="$1"
-	shift
+	local indent="$2"
+	shift 2

-	echo "$@" >> "$file"
+	for cmd in "$@"; do
+		echo "$indent$cmd" >> "$file"
+	done
 }

 swan_reset() {
@ -77,23 +80,23 @@ swan_xappend() {
 }

 swan_xappend0() {
-	swan_xappend "$@"
+	swan_xappend "" "$@"
 }

 swan_xappend1() {
-	swan_xappend "  ""$@"
+	swan_xappend "  " "$@"
 }

 swan_xappend2() {
-	swan_xappend "    ""$@"
+	swan_xappend "    " "$@"
 }

 swan_xappend3() {
-	swan_xappend "      ""$@"
+	swan_xappend "      " "$@"
 }

 swan_xappend4() {
-	swan_xappend "        ""$@"
+	swan_xappend "        " "$@"
 }

 swanctl_reset() {
@ -105,23 +108,23 @@ swanctl_xappend() {
 }

 swanctl_xappend0() {
-	swanctl_xappend "$@"
+	swanctl_xappend "" "$@"
 }

 swanctl_xappend1() {
-	swanctl_xappend "  ""$@"
+	swanctl_xappend "  " "$@"
 }

 swanctl_xappend2() {
-	swanctl_xappend "    ""$@"
+	swanctl_xappend "    " "$@"
 }

 swanctl_xappend3() {
-	swanctl_xappend "      ""$@"
+	swanctl_xappend "      " "$@"
 }

 swanctl_xappend4() {
-	swanctl_xappend "        ""$@"
+	swanctl_xappend "        " "$@"
 }

 warning() {
@ -151,14 +154,16 @@ is_aead() {
 	return 1
 }

-add_esp_proposal() {
+config_esp_proposal() {
+	local conf="$1"
+
 	local encryption_algorithm
 	local hash_algorithm
 	local dh_group

-	config_get encryption_algorithm "$1" encryption_algorithm
-	config_get hash_algorithm "$1" hash_algorithm
-	config_get dh_group "$1" dh_group
+	config_get encryption_algorithm "$conf" encryption_algorithm
+	config_get hash_algorithm "$conf" hash_algorithm
+	config_get dh_group "$conf" dh_group

 	# check for AEAD and clobber hash_algorithm if set
 	if is_aead "$encryption_algorithm" && [ -n "$hash_algorithm" ]; then
@ -170,27 +175,29 @@ add_esp_proposal() {
 		crypto="${crypto:+${crypto},}${encryption_algorithm}${hash_algorithm:+-${hash_algorithm}}${dh_group:+-${dh_group}}"
 }

-parse_esp_proposal() {
+iter_esp_proposal() {
 	local conf="$1"
 	local var="$2"

 	local crypto=""

-	config_list_foreach "$conf" crypto_proposal add_esp_proposal
+	config_list_foreach "$conf" crypto_proposal config_esp_proposal

 	export -n "$var=$crypto"
 }

-add_ike_proposal() {
+config_ike_proposal() {
+	local conf="$1"
+
 	local encryption_algorithm
 	local hash_algorithm
 	local dh_group
 	local prf_algorithm

-	config_get encryption_algorithm "$1" encryption_algorithm
-	config_get hash_algorithm "$1" hash_algorithm
-	config_get dh_group "$1" dh_group
-	config_get prf_algorithm "$1" prf_algorithm
+	config_get encryption_algorithm "$conf" encryption_algorithm
+	config_get hash_algorithm "$conf" hash_algorithm
+	config_get dh_group "$conf" dh_group
+	config_get prf_algorithm "$conf" prf_algorithm

 	# check for AEAD and clobber hash_algorithm if set
 	if is_aead "$encryption_algorithm" && [ -n "$hash_algorithm" ]; then
@ -202,20 +209,20 @@ add_ike_proposal() {
 		crypto="${crypto:+${crypto},}${encryption_algorithm}${hash_algorithm:+-${hash_algorithm}}${prf_algorithm:+-${prf_algorithm}}${dh_group:+-${dh_group}}"
 }

-parse_ike_proposal() {
+iter_ike_proposal() {
 	local conf="$1"
 	local var="$2"

 	local crypto=""

-	config_list_foreach "$conf" crypto_proposal add_ike_proposal
+	config_list_foreach "$conf" crypto_proposal config_ike_proposal

 	export -n "$var=$crypto"
 }

 config_child() {
 	# Generic ipsec conn section shared by tunnel and transport
-	local config_name="$1"
+	local conf="$1"
 	local mode="$2"

 	local hw_offload
@ -233,26 +240,36 @@ config_child() {
 	local startaction
 	local if_id
 	local rekeytime
+	local rekeybytes
+	local lifebytes
+	local rekeypackets
+	local lifepackets
+	local replay_window

-	config_get startaction "$1" startaction "route"
-	config_get local_nat "$1" local_nat ""
-	config_get updown "$1" updown ""
-	config_get firewall "$1" firewall ""
-	config_get lifetime "$1" lifetime ""
-	config_get dpdaction "$1" dpdaction "none"
-	config_get closeaction "$1" closeaction "none"
-	config_get if_id "$1" if_id ""
-	config_get rekeytime "$1" rekeytime ""
-	config_get_bool ipcomp "$1" ipcomp 0
-	config_get interface "$1" interface ""
-	config_get hw_offload "$1" hw_offload ""
-	config_get priority "$1" priority ""
+	config_get startaction "$conf" startaction "route"
+	config_get local_nat "$conf" local_nat ""
+	config_get updown "$conf" updown ""
+	config_get firewall "$conf" firewall ""
+	config_get lifetime "$conf" lifetime ""
+	config_get dpdaction "$conf" dpdaction "none"
+	config_get closeaction "$conf" closeaction "none"
+	config_get if_id "$conf" if_id ""
+	config_get rekeytime "$conf" rekeytime ""
+	config_get_bool ipcomp "$conf" ipcomp 0
+	config_get interface "$conf" interface ""
+	config_get hw_offload "$conf" hw_offload ""
+	config_get priority "$conf" priority ""
+	config_get rekeybytes "$conf" rekeybytes ""
+	config_get lifebytes "$conf" lifebytes ""
+	config_get rekeypackets "$conf" rekeypackets ""
+	config_get lifepackets "$conf" lifepackets ""
+	config_get replay_window "$conf" replay_window ""

-	config_list_foreach "$1" local_subnet append_var local_subnet ","
-	config_list_foreach "$1" remote_subnet append_var remote_subnet ","
+	config_list_foreach "$conf" local_subnet append_var local_subnet ","
+	config_list_foreach "$conf" remote_subnet append_var remote_subnet ","

 	local esp_proposal
-	parse_esp_proposal "$1" esp_proposal
+	iter_esp_proposal "$conf" esp_proposal

 	# translate from ipsec to swanctl
 	case "$startaction" in
@ -318,16 +335,16 @@ config_child() {

 	[ -n "$local_nat" ] && local_subnet="$local_nat"

-	swanctl_xappend3 "$config_name {"
+	swanctl_xappend3 "$conf {"

 	[ -n "$local_subnet" ] && swanctl_xappend4 "local_ts = $local_subnet"
 	[ -n "$remote_subnet" ] && swanctl_xappend4 "remote_ts = $remote_subnet"

-	[ -n "$hw_offload" ] && swanctl_append4 "hw_offload = $hw_offload"
+	[ -n "$hw_offload" ] && swanctl_xappend4 "hw_offload = $hw_offload"
 	[ $ipcomp -eq 1 ] && swanctl_xappend4 "ipcomp = 1"
-	[ -n "$interface" ] && swanctl_append4 "interface = $interface"
-	[ -n "$priority" ] && swanctl_append4 "priority = $priority"
-	[ -n "$if_id" ] && { swanctl_xappend4 "if_id_in = $if_id" ; swanctl_xappend4 "if_id_out = $if_id" ; }
+	[ -n "$interface" ] && swanctl_xappend4 "interface = $interface"
+	[ -n "$priority" ] && swanctl_xappend4 "priority = $priority"
+	[ -n "$if_id" ] && swanctl_xappend4 "if_id_in = $if_id" "if_id_out = $if_id"
 	[ -n "$startaction" -a "$startaction" != "none" ] && swanctl_xappend4 "start_action = $startaction"
 	[ -n "$closeaction" -a "$closeaction" != "none" ] && swanctl_xappend4 "close_action = $closeaction"
 	swanctl_xappend4 "esp_proposals = $esp_proposal"
@ -339,10 +356,23 @@ config_child() {
 		swanctl_xappend4 "life_time = $(seconds2time $(((110 * $(time2seconds $rekeytime)) / 100)))"
 	fi
 	[ -n "$rekeytime" ] && swanctl_xappend4 "rekey_time = $rekeytime"
+	if [ -n "$lifebytes" ]; then
+		swanctl_xappend4 "life_bytes = $lifebytes"
+	elif [ -n "$rekeybytes" ]; then
+		swanctl_xappend4 "life_bytes = $(((110 * rekeybytes) / 100))"
+	fi
+	[ -n "$rekeybytes" ] && swanctl_xappend4 "rekey_bytes = $rekeybytes"
+	if [ -n "$lifepackets" ]; then
+		swanctl_xappend4 "life_packets = $lifepackets"
+	elif [ -n "$rekeypackets" ]; then
+		swanctl_xappend4 "life_packets = $(((110 * rekeypackets) / 100))"
+	fi
+	[ -n "$rekeypackets" ] && swanctl_xappend4 "rekey_packets = $rekeypackets"
 	[ -n "$inactivity" ] && swanctl_xappend4 "inactivity = $inactivity"

 	[ -n "$updown" ] && swanctl_xappend4 "updown = $updown"
 	[ -n "$dpdaction" ] && swanctl_xappend4 "dpd_action = $dpdaction"
+	[ -n "$replay_window" ] && swanctl_xappend4 "replay_window = $replay_window"

        swanctl_xappend3 "}"
 }
@ -355,12 +385,47 @@ config_transport() {
 	config_child "$1" "transport"
 }

-config_connection() {
-	local config_name="$1"
+config_pool() {
+	local conf="$1"
+
+	local addrs
+	local dns
+	local nbns
+	local dhcp
+	local netmask
+	local server
+	local subnet
+	local split_include
+	local split_exclude
+
+	config_get addrs "$conf" addrs
+	config_list_foreach "$conf" dns append_var dns ","
+	config_list_foreach "$conf" nbns append_var nbns ","
+	config_list_foreach "$conf" dhcp append_var dhcp ","
+	config_list_foreach "$conf" netmask append_var netmask ","
+	config_list_foreach "$conf" server append_var server ","
+	config_list_foreach "$conf" subnet append_var subnet ","
+	config_list_foreach "$conf" split_include append_var split_include ","
+	config_list_foreach "$conf" split_exclude append_var split_exclude ","
+
+	swanctl_xappend1 "$conf {"
+	[ -n "$addrs" ] && swanctl_xappend2 "addrs = $addrs"
+	[ -n "$dns" ] && swanctl_xappend2 "dns = $dns"
+	[ -n "$nbns" ] && swanctl_xappend2 "nbns = $nbns"
+	[ -n "$dhcp" ] && swanctl_xappend2 "dhcp = $dhcp"
+	[ -n "$netmask" ] && swanctl_xappend2 "netmask = $netmask"
+	[ -n "$server" ] && swanctl_xappend2 "server = $server"
+	[ -n "$subnet" ] && swanctl_xappend2 "subnet = $subnet"
+	[ -n "$split_include" ] && swanctl_xappend2 "split_include = $split_include"
+	[ -n "$split_exclude" ] && swanctl_xappend2 "split_exclude = $split_exclude"
+	swanctl_xappend1 "}"
+}
+
+config_remote() {
+	local conf="$1"

 	local enabled
 	local gateway
-	local local_gateway
 	local local_sourceip
 	local local_ip
 	local remote_gateway
@ -376,29 +441,33 @@ config_connection() {
 	local local_key
 	local ca_cert
 	local rekeytime
+	local remote_ca_certs
+	local pools

-	config_get_bool enabled "$1" enabled 0
+	config_get_bool enabled "$conf" enabled 0
 	[ $enabled -eq 0 ] && return

-	config_get gateway "$1" gateway
-	config_get pre_shared_key "$1" pre_shared_key
-	config_get auth_method "$1" authentication_method
-	config_get local_identifier "$1" local_identifier ""
-	config_get remote_identifier "$1" remote_identifier ""
-	config_get local_ip "$1" local_ip "%any"
-	config_get keyingtries "$1" keyingtries "3"
-	config_get dpddelay "$1" dpddelay "30s"
-	config_get inactivity "$1" inactivity
-	config_get keyexchange "$1" keyexchange "ikev2"
-	config_get fragmentation "$1" fragmentation "yes"
-	config_get_bool mobike "$1" mobike 1
-	config_get local_cert "$1" local_cert ""
-	config_get local_key "$1" local_key ""
-	config_get ca_cert "$1" ca_cert ""
-	config_get rekeytime "$1" rekeytime
-	config_get overtime "$1" overtime
+	config_get gateway "$conf" gateway
+	config_get pre_shared_key "$conf" pre_shared_key
+	config_get auth_method "$conf" authentication_method
+	config_get local_identifier "$conf" local_identifier ""
+	config_get remote_identifier "$conf" remote_identifier ""
+	config_get local_ip "$conf" local_ip "%any"
+	config_get keyingtries "$conf" keyingtries "3"
+	config_get dpddelay "$conf" dpddelay "30s"
+	config_get inactivity "$conf" inactivity
+	config_get keyexchange "$conf" keyexchange "ikev2"
+	config_get fragmentation "$conf" fragmentation "yes"
+	config_get_bool mobike "$conf" mobike 1
+	config_get local_cert "$conf" local_cert ""
+	config_get local_key "$conf" local_key ""
+	config_get ca_cert "$conf" ca_cert ""
+	config_get rekeytime "$conf" rekeytime
+	config_get overtime "$conf" overtime

-	config_list_foreach "$1" local_sourceip append_var local_sourceip ","
+	config_list_foreach "$conf" local_sourceip append_var local_sourceip ","
+	config_list_foreach "$conf" remote_ca_certs append_var remote_ca_certs ","
+	config_list_foreach "$conf" pools append_var pools ","

 	case "$fragmentation" in
 	0)
@ -416,10 +485,6 @@ config_connection() {

 	[ "$gateway" = "any" ] && remote_gateway="%any" || remote_gateway="$gateway"

-	local ipdest
-	[ "$remote_gateway" = "%any" ] && ipdest="1.1.1.1" || ipdest="$remote_gateway"
-	local_gateway=`ip -o route get $ipdest | awk '/ src / { gsub(/^.* src /,""); gsub(/ .*$/, ""); print $0}'`
-
 	if [ -n "$local_key" ]; then
 		[ "$(dirname "$local_key")" != "." ] && \
 		   fatal "local_key $local_key can't be pathname"
@ -428,7 +493,7 @@ config_connection() {
 	fi

 	local ike_proposal
-	parse_ike_proposal "$1" ike_proposal
+	iter_ike_proposal "$conf" ike_proposal

 	[ -n "$firewall" ] && fatal "Firewall not supported"

@ -448,14 +513,15 @@ config_connection() {
 		fi
 	fi

-	swanctl_xappend0 "# config for $config_name"
+	swanctl_xappend0 "# config for $conf"
 	swanctl_xappend0 "connections {"
-	swanctl_xappend1 "$config_name {"
+	swanctl_xappend1 "$conf {"
 	swanctl_xappend2 "local_addrs = $local_ip"
 	swanctl_xappend2 "remote_addrs = $remote_gateway"

 	[ -n "$local_sourceip" ] && swanctl_xappend2 "vips = $local_sourceip"
 	[ -n "$fragmentation" ] && swanctl_xappend2 "fragmentation = $fragmentation"
+	[ -n "$pools" ] && swanctl_xappend2 "pools = $pools"

 	swanctl_xappend2 "local {"
 	swanctl_xappend3 "auth = $auth_method"
@ -468,13 +534,14 @@ config_connection() {
 	swanctl_xappend2 "remote {"
 	swanctl_xappend3 "auth = $auth_method"
 	[ -n "$remote_identifier" ] && swanctl_xappend3 "id = \"$remote_identifier\""
+	[ -n "$remote_ca_certs" ] && swanctl_xappend3 "cacerts = \"$remote_ca_certs\""
 	swanctl_xappend2 "}"

 	swanctl_xappend2 "children {"

-	config_list_foreach "$1" tunnel config_tunnel
+	config_list_foreach "$conf" tunnel config_tunnel

-	config_list_foreach "$1" transport config_transport
+	config_list_foreach "$conf" transport config_transport

 	swanctl_xappend2 "}"

@ -514,7 +581,7 @@ config_connection() {

 		if [ -n "$ca_cert" ]; then
 			swanctl_xappend0 "authorities {"
-			swanctl_xappend1 "$config_name {"
+			swanctl_xappend1 "$conf {"
 			swanctl_xappend2 "cacert = $ca_cert"
 			swanctl_xappend1 "}"
 			swanctl_xappend0 "}"
@ -524,12 +591,12 @@ config_connection() {
 		swanctl_xappend0 ""

 		swanctl_xappend0 "secrets {"
-		swanctl_xappend1 "ike {"
+		swanctl_xappend1 "ike-$conf {"
 		swanctl_xappend2 "secret = $pre_shared_key"
-		if [ -n "$local_id" ]; then
-			swanctl_xappend2 "id1 = $local_id"
-			if [ -n "$remote_id" ]; then
-				swanctl_xappend2 "id2 = $remote_id"
+		if [ -n "$local_identifier" ]; then
+			swanctl_xappend2 "id1 = $local_identifier"
+			if [ -n "$remote_identifier" ]; then
+				swanctl_xappend2 "id2 = $remote_identifier"
 			fi
 		fi
 		swanctl_xappend1 "}"
@ -538,6 +605,10 @@ config_connection() {
 		fatal "AuthenticationMode $auth_mode not supported"
 	fi

+	swanctl_xappend0 "pools {"
+	config_list_foreach "$conf" pools config_pool
+	swanctl_xappend0 "}"
+
 	swanctl_xappend0 ""
 }

@ -546,18 +617,20 @@ do_preamble() {
 }

 config_ipsec() {
+	local conf="$1"
+
 	local rtinstall_enabled
 	local routing_table
 	local routing_table_id
 	local interface
 	local interface_list

-	config_get debug "$1" debug 0
-	config_get_bool rtinstall_enabled "$1" rtinstall_enabled 1
+	config_get debug "$conf" debug 0
+	config_get_bool rtinstall_enabled "$conf" rtinstall_enabled 1
 	[ $rtinstall_enabled -eq 1 ] && install_routes=yes || install_routes=no

 	# prepare extra charon config option ignore_routing_tables
-	for routing_table in $(config_get "$1" "ignore_routing_tables"); do
+	for routing_table in $(config_get "$conf" "ignore_routing_tables"); do
 		if [ "$routing_table" -ge 0 ] 2>/dev/null; then
 			routing_table_id=$routing_table
 		else
@ -567,7 +640,7 @@ config_ipsec() {
 		[ -n "$routing_table_id" ] && append routing_tables_ignored "$routing_table_id"
 	done

-	config_list_foreach "$1" interface append_var interface_list
+	config_list_foreach "$conf" interface append_var interface_list

 	if [ -z "$interface_list" ]; then
 		WAIT_FOR_INTF=0
@ -610,7 +683,7 @@ prepare_env() {

 	config_load ipsec
 	config_foreach config_ipsec ipsec
-	config_foreach config_connection remote
+	config_foreach config_remote remote

 	do_postamble
 }
--- a/net/strongswan/patches/0900-src-Patch-for-building-with-musl-on-openwrt-taken-ve.patch
+++ b/net/strongswan/patches/0900-src-Patch-for-building-with-musl-on-openwrt-taken-ve.patch
@ -16,7 +16,7 @@ Subject: [PATCH 900/904] src: Patch for building with musl on openwrt (taken

 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
 +++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
-@@ -40,6 +40,7 @@
+@@ -41,6 +41,7 @@
  */
 
 #define _GNU_SOURCE
@ -37,7 +37,7 @@ Subject: [PATCH 900/904] src: Patch for building with musl on openwrt (taken
 #include <linux/netlink.h>
 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
 +++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
-@@ -39,6 +39,8 @@
+@@ -37,6 +37,8 @@
  * THE SOFTWARE.
  */
 
@ -48,7 +48,7 @@ Subject: [PATCH 900/904] src: Patch for building with musl on openwrt (taken
 #include <linux/rtnetlink.h>
 --- a/src/libstrongswan/library.h
 +++ b/src/libstrongswan/library.h
-@@ -119,6 +119,7 @@
+@@ -121,6 +121,7 @@
 #include "utils/leak_detective.h"
 #include "plugins/plugin_loader.h"
 #include "settings/settings.h"
@ -99,7 +99,7 @@ Subject: [PATCH 900/904] src: Patch for building with musl on openwrt (taken
 +#undef encrypt
 --- a/src/libstrongswan/plugins/bliss/bliss_huffman.c
 +++ b/src/libstrongswan/plugins/bliss/bliss_huffman.c
-@@ -17,6 +17,8 @@
+@@ -18,6 +18,8 @@
 #include "bliss_param_set.h"
 
 #include <library.h>
--- a/net/strongswan/patches/0901-uci-verbatim-patch-from-openwrt-package-sources.patch
+++ b/net/strongswan/patches/0901-uci-verbatim-patch-from-openwrt-package-sources.patch
@ -9,7 +9,7 @@ Subject: [PATCH 901/904] uci: verbatim patch from openwrt package sources

 --- a/src/libcharon/plugins/uci/uci_parser.c
 +++ b/src/libcharon/plugins/uci/uci_parser.c
-@@ -75,7 +75,7 @@ METHOD(enumerator_t, section_enumerator_
+@@ -76,7 +76,7 @@ METHOD(enumerator_t, section_enumerator_
 		if (uci_lookup(this->ctx, &element, this->package,
 					   this->current->name, "name") == UCI_OK)
 		{	/* use "name" attribute as config name if available ... */
@ -18,7 +18,7 @@ Subject: [PATCH 901/904] uci: verbatim patch from openwrt package sources
 		}
 		else
 		{	/* ... or the section name becomes config name */
-@@ -90,7 +90,7 @@ METHOD(enumerator_t, section_enumerator_
+@@ -91,7 +91,7 @@ METHOD(enumerator_t, section_enumerator_
 		if (value && uci_lookup(this->ctx, &element, this->package,
 						  this->current->name, this->keywords[i]) == UCI_OK)
 		{
--- a/net/strongswan/patches/0904-gmpdh-Plugin-that-implements-gmp-DH-functions-in-an-.patch
+++ b/net/strongswan/patches/0904-gmpdh-Plugin-that-implements-gmp-DH-functions-in-an-.patch
@ -18,23 +18,23 @@ Subject: [PATCH 904/904] gmpdh: Plugin that implements gmp DH functions in an

 --- a/configure.ac
 +++ b/configure.ac
-@@ -146,6 +146,7 @@ ARG_DISBL_SET([fips-prf],       [disable
- ARG_ENABL_SET([gcm],            [enables the GCM AEAD wrapper crypto plugin.])
+@@ -147,6 +147,7 @@ ARG_DISBL_SET([fips-prf],       [disable
+ ARG_DISBL_SET([gcm],            [disable the GCM AEAD wrapper crypto plugin.])
 ARG_ENABL_SET([gcrypt],         [enables the libgcrypt plugin.])
 ARG_DISBL_SET([gmp],            [disable GNU MP (libgmp) based crypto implementation plugin.])
 +ARG_DISBL_SET([gmpdh],          [disable GNU MP (libgmp) based static-linked crypto DH minimal implementation plugin.])
 ARG_DISBL_SET([curve25519],     [disable Curve25519 Diffie-Hellman plugin.])
 ARG_DISBL_SET([hmac],           [disable HMAC crypto implementation plugin.])
- ARG_ENABL_SET([md4],            [enable MD4 software implementation plugin.])
-@@ -1487,6 +1488,7 @@ ADD_PLUGIN([botan],                [s ch
- ADD_PLUGIN([af-alg],               [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
+ ARG_DISBL_SET([kdf],            [disable KDF (prf+) implementation plugin.])
+@@ -1574,6 +1575,7 @@ ADD_PLUGIN([pkcs8],                [s ch
+ ADD_PLUGIN([af-alg],               [s charon pki scripts medsrv attest nm cmd aikgen])
 ADD_PLUGIN([fips-prf],             [s charon nm cmd])
- ADD_PLUGIN([gmp],                  [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen fuzz])
-+ADD_PLUGIN([gmpdh],                [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
+ ADD_PLUGIN([gmp],                  [s charon pki scripts manager medsrv attest nm cmd aikgen fuzz])
+ADD_PLUGIN([gmpdh],                [s charon pki scripts manager medsrv attest nm cmd aikgen])
 ADD_PLUGIN([curve25519],           [s charon pki scripts nm cmd])
 ADD_PLUGIN([agent],                [s charon nm cmd])
 ADD_PLUGIN([keychain],             [s charon cmd])
-@@ -1628,6 +1630,7 @@ AM_CONDITIONAL(USE_SHA3, test x$sha3 = x
+@@ -1716,6 +1718,7 @@ AM_CONDITIONAL(USE_SHA3, test x$sha3 = x
 AM_CONDITIONAL(USE_MGF1, test x$mgf1 = xtrue)
 AM_CONDITIONAL(USE_FIPS_PRF, test x$fips_prf = xtrue)
 AM_CONDITIONAL(USE_GMP, test x$gmp = xtrue)
@ -42,7 +42,7 @@ Subject: [PATCH 904/904] gmpdh: Plugin that implements gmp DH functions in an
 AM_CONDITIONAL(USE_CURVE25519, test x$curve25519 = xtrue)
 AM_CONDITIONAL(USE_RDRAND, test x$rdrand = xtrue)
 AM_CONDITIONAL(USE_AESNI, test x$aesni = xtrue)
-@@ -1905,6 +1908,7 @@ AC_CONFIG_FILES([
+@@ -1996,6 +1999,7 @@ AC_CONFIG_FILES([
 	src/libstrongswan/plugins/mgf1/Makefile
 	src/libstrongswan/plugins/fips_prf/Makefile
 	src/libstrongswan/plugins/gmp/Makefile
@ -52,7 +52,7 @@ Subject: [PATCH 904/904] gmpdh: Plugin that implements gmp DH functions in an
 	src/libstrongswan/plugins/aesni/Makefile
 --- a/src/libstrongswan/Makefile.am
 +++ b/src/libstrongswan/Makefile.am
-@@ -348,6 +348,13 @@ if MONOLITHIC
+@@ -357,6 +357,13 @@ if MONOLITHIC
 endif
 endif
 
@ -135,31 +135,31 @@ Subject: [PATCH 904/904] gmpdh: Plugin that implements gmp DH functions in an
 +{
 +	static plugin_feature_t f[] = {
 +		/* DH groups */
-+		PLUGIN_REGISTER(DH, gmp_diffie_hellman_create),
-+			PLUGIN_PROVIDE(DH, MODP_2048_BIT),
+		PLUGIN_REGISTER(KE, gmp_diffie_hellman_create),
+			PLUGIN_PROVIDE(KE, MODP_2048_BIT),
 +				PLUGIN_DEPENDS(RNG, RNG_STRONG),
-+			PLUGIN_PROVIDE(DH, MODP_2048_224),
+			PLUGIN_PROVIDE(KE, MODP_2048_224),
 +				PLUGIN_DEPENDS(RNG, RNG_STRONG),
-+			PLUGIN_PROVIDE(DH, MODP_2048_256),
+			PLUGIN_PROVIDE(KE, MODP_2048_256),
 +				PLUGIN_DEPENDS(RNG, RNG_STRONG),
-+			PLUGIN_PROVIDE(DH, MODP_1536_BIT),
+			PLUGIN_PROVIDE(KE, MODP_1536_BIT),
 +				PLUGIN_DEPENDS(RNG, RNG_STRONG),
-+			PLUGIN_PROVIDE(DH, MODP_3072_BIT),
+			PLUGIN_PROVIDE(KE, MODP_3072_BIT),
 +				PLUGIN_DEPENDS(RNG, RNG_STRONG),
-+			PLUGIN_PROVIDE(DH, MODP_4096_BIT),
+			PLUGIN_PROVIDE(KE, MODP_4096_BIT),
 +				PLUGIN_DEPENDS(RNG, RNG_STRONG),
-+			PLUGIN_PROVIDE(DH, MODP_6144_BIT),
+			PLUGIN_PROVIDE(KE, MODP_6144_BIT),
 +				PLUGIN_DEPENDS(RNG, RNG_STRONG),
-+			PLUGIN_PROVIDE(DH, MODP_8192_BIT),
+			PLUGIN_PROVIDE(KE, MODP_8192_BIT),
 +				PLUGIN_DEPENDS(RNG, RNG_STRONG),
-+			PLUGIN_PROVIDE(DH, MODP_1024_BIT),
+			PLUGIN_PROVIDE(KE, MODP_1024_BIT),
 +				PLUGIN_DEPENDS(RNG, RNG_STRONG),
-+			PLUGIN_PROVIDE(DH, MODP_1024_160),
+			PLUGIN_PROVIDE(KE, MODP_1024_160),
 +				PLUGIN_DEPENDS(RNG, RNG_STRONG),
-+			PLUGIN_PROVIDE(DH, MODP_768_BIT),
+			PLUGIN_PROVIDE(KE, MODP_768_BIT),
 +				PLUGIN_DEPENDS(RNG, RNG_STRONG),
-+		PLUGIN_REGISTER(DH, gmp_diffie_hellman_create_custom),
-+			PLUGIN_PROVIDE(DH, MODP_CUSTOM),
+		PLUGIN_REGISTER(KE, gmp_diffie_hellman_create_custom),
+			PLUGIN_PROVIDE(KE, MODP_CUSTOM),
 +				PLUGIN_DEPENDS(RNG, RNG_STRONG),
 +	};
 +	*features = f;
--- a/net/strongswan/patches/0905-undef-wolfssl-RNG.patch
+++ b/net/strongswan/patches/0905-undef-wolfssl-RNG.patch
@ -0,0 +1,12 @@
+--- a/src/libstrongswan/plugins/wolfssl/wolfssl_plugin.c
+++ b/src/libstrongswan/plugins/wolfssl/wolfssl_plugin.c
+@@ -50,6 +50,9 @@
+ #ifndef FIPS_MODE
+ #define FIPS_MODE 0
+ #endif
+#ifdef RNG
+#undef RNG
+#endif
+ 
+ typedef struct private_wolfssl_plugin_t private_wolfssl_plugin_t;
+