strongswan: Bump to 5.3.4-2

3 files changed, 13 insertions, 105 deletions

diff --git a/.SRCINFO b/.SRCINFO
index 0bf89fea5ab2..a9de5e1f769b 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,7 +1,7 @@
 pkgbase = strongswan
 	pkgdesc = open source IPsec implementation
 	pkgver = 5.3.4
-	pkgrel = 1
+	pkgrel = 2
 	url = http://www.strongswan.org
 	arch = i686
 	arch = x86_64
@@ -82,7 +82,9 @@ pkgbase = strongswan
 	backup = etc/strongswan.d/charon/xcbc.conf
 	backup = etc/strongswan.d/charon/chapoly.conf
 	source = https://download.strongswan.org/strongswan-5.3.4.tar.bz2
+	source = sigfix.patch
 	sha256sums = 938ad1f7b612e039f1d32333f4865160be70f9fb3c207a31127d0168116459aa
+	sha256sums = 9f12c48bd4a82802107c0d171468e7e6a8a9d303df7838433b398add7d2cd25e
 
 pkgname = strongswan
 
diff --git a/CHANGELOG b/CHANGELOG
deleted file mode 100644
index dc57b2145f4b..000000000000
--- a/CHANGELOG
+++ /dev/null
@@ -1,101 +0,0 @@
-Added support for the ChaCha20/Poly1305 AEAD cipher specified in RFC 7539 and
-RFC 7634 using the chacha20poly1305 ike/esp proposal keyword.
-
-The new chapoly plugin implements the cipher, if possible SSE-accelerated on x86/x64
-architectures. It is usable both in IKEv2 and the strongSwan libipsec ESP backend.
-On Linux 4.2 or newer the kernel-netlink plugin can configure the cipher for ESP SAs.
-The vici/swanctl interface now supports the configuration of auxiliary certification
-authority information as CRL and OCSP URIs.
-
-In the bliss plugin the c_indices derivation using a SHA-512 based random oracle
-has been fixed, generalized and standardized by employing the MGF1 mask generation
-function with SHA-512. As a consequence BLISS signatures unsing the improved oracle
-are not compatible with the earlier implementation.
-
-Support for auto=route with right=%any for transport mode connections has been
-added (refer to #196-6 for details and some examples).
-
-The starter daemon does not flush IPsec policies and SAs anymore when it is stopped.
-Already existing duplicate policies are now overwritten by the IKE daemon when it
-installs its policies (695112d7b8, dc2fa791e4). Usually, there shouldn't be any
-leftovers after the IKE daemon has been properly terminated, but if it crashes the kernel
-state won't be cleaned up. Because earlier releases couldn't handle already existing
-duplicate policies in the kernel, the starter daemon flushed them during shutdown so
-the daemon would find a clean slate when was restarted. Since existing policies are not
-a problem anymore this is no longer necessary. And in situations where installpolicies=no
-is used policies shouldn't be flushed blindly anyway.
-
-Init limits can now optionally be enforced when initiating SAs via VICI. For this IKE_SAs
-initiated by the daemon are now also counted as half-open SAs, which, as a side-effect,
-fixes the status output while connecting (e.g. in ipsec status).
-
-Symmetric configuration of EAP methods in left|rightauth is now possible when mutual
-EAP-only authentication is used (previously, the client had to configure rightauth=eap
-or rightauth=any, which prevented it from using this same config as responder).
-
-The initiator flag in the IKEv2 header is compared again (wasn't the case since 5.0.0) and
-packets that have the flag set incorrectly are again ignored (47a340e1f7, 5fee79d854).
-
-Implemented a demo Hardcopy Device IMC/IMV pair based on the "Hardcopy Device Health
-Assessment Trusted Network Connect Binding" (HCD-TNC) document drafted by the IEEE
-Printer Working Group (PWG), see HCD-IMC and HCD-IMV.
-
-Fixed IF-M segmentation which failed in the presence of multiple small attributes in front
-of a huge attribute to be segmented (10f25a3dd9).
-
-Refcounting for allocated reqids has been fixed for situations where make-before-break
-reauthentication is used and CHILD_SAs have already been rekeyed (3665adef19).
-
-Fixed a crash when retrying CHILD_SA rekeying due to a DH group mismatch (1729df9275).
-
-If multiple CA certificates are set in swanctl.conf (connections.<conn>.remote<suffix>.cacerts)
-it is now enough if the certificate chain contains at least one of them, not all (774c8c3847).
-
-Referring to a CA certificate in ipsec.d/cacerts in a ca section does not cause duplicate
-certificate requests anymore (was the case since 5.3.0, #842-10). CA certificates are
-now atomically reloaded by ipsec rereadcacerts so unchanged certificates are always
-available. The command now also reloads certificates referenced in CA sections.
-
-Inbound IKEv1 messages are now handled with different job priorities (a5c07be058).
-
-When strongSwan creates ASN.1 DN identities from strings, it now uses UTF8String
-instead of T61String to encode RDNs that contain characters outside the character set
-of PrintableString.
-
-The new pki --dn command extracts subject DistinguishedNames from certificates,
-which is useful if the automatic identity parsing is unable to produce the correct
-binary ASN.1 encoding of the DN from its string representation.
-
-To implement IPv6 NDP proxying via updown script (e.g. via ip -6 neigh add proxy)
-the virtual IPs assigned to a client are now passed to the script (#1008).
-
-RADIUS Accounting Start messages are now correctly triggered for IKEv1 SAs when clients
-don't do any Mode Config or XAuth exchanges during reauthentication (#937).
-
-Support for the Framed-IPv6-Address and DNS-Server-IPv6-Address RADIUS attributes has
-been added. Virtual IPv6 addresses are now sent in Framed-IPv6-Address attributes in
-RADIUS Accounting messages (#1001).
-
-Some fixes went into the HA plugin and related code: The jhash() function was updated
-for Linux 4.1+ (93caf23e1b), NAT keepalives (edaba56ec7) and CHILD_SA rekeying
-(e095d87bb6) are now disabled for passive SAs, and the remote address is synced
-when an SA is first added (3434709460). Also, the use of AEAD algorithms in CHILD_SAs
-has been fixed (#1051) and the control FIFO is recreated if it is no FIFO (fffee7c759).
-
-The buffer size for the Netlink receive buffer has been changed, the default is now the same
-as in the kernel (a6896b6149, 197de6e66b).
-
-In particular for hosts with lots of routes an alternative faster source address lookup may be
-used by setting charon.plugins.kernel-netlink.fwmark=!<mark> (6bd1216e7a).
-
-The kernel-pfkey plugin now can configure AES-GCM, which is supported on FreeBSD 11.
-
-Fixed some potential race conditions during shutdown of the daemon (#1014).
-
-Address resolution has been improved: If a local address is configured we use the same
-address family when resolving the remote address (#993). If the remote address resolves
-to %any during reauthentication or when reestablishing an SA we keep the current
-address (#1027).
-
-A new option allows disabling the side-swapping based on the addresses/hostnames in
-left|right, when the stroke plugin loads a config from ipsec.conf.
diff --git a/PKGBUILD b/PKGBUILD
index bf69e4ee644a..786c65fca5ab 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -10,7 +10,7 @@
 
 pkgname=strongswan
 pkgver=5.3.4
-pkgrel=1
+pkgrel=2
 pkgdesc="open source IPsec implementation"
 url='http://www.strongswan.org'
 license=("GPL")
@@ -33,16 +33,23 @@ revocation.conf,sha1.conf,sha2.conf,socket-default.conf,sql.conf,sqlite.conf,ssh
 vici.conf,x509.conf,xauth-eap.conf,xauth-generic.conf,xcbc.conf,chapoly.conf}
 )
 
-source=("https://download.strongswan.org/strongswan-${pkgver}.tar.bz2")
+source=("https://download.strongswan.org/strongswan-${pkgver}.tar.bz2"
+	"sigfix.patch")
 
 # md5 is broken. We use sha256 now. Alternatively, we could check the signature of the file, but that
 # doesn't yield any more security and just increases the work users initially have to invest.
-sha256sums=('938ad1f7b612e039f1d32333f4865160be70f9fb3c207a31127d0168116459aa')
+sha256sums=('938ad1f7b612e039f1d32333f4865160be70f9fb3c207a31127d0168116459aa'
+            '9f12c48bd4a82802107c0d171468e7e6a8a9d303df7838433b398add7d2cd25e')
 
 # We don't build libipsec because it would get loaded before kernel-netlink and netkey, which
 # would case processing to be handled in user space. Also, the plugin is experimental. If you need it,
 # add --enable-libipsec and --enable-kernel-libipsec
 
+prepare() {
+	cd ${srcdir}/${pkgname}-${pkgver}
+	patch -p1 < ${srcdir}/sigfix.patch
+}
+
 build() {
   cd ${srcdir}/${pkgname}-${pkgver}