initial commit

3 files changed, 152 insertions, 0 deletions

diff --git a/.SRCINFO b/.SRCINFO
new file mode 100644
index 000000000000..1037f9d43b4d
--- /dev/null
+++ b/.SRCINFO
@@ -0,0 +1,24 @@
+# Generated by makepkg 4.2.1
+# Mon Jun  8 12:35:09 UTC 2015
+pkgbase = strongswan
+	pkgdesc = open source IPsec implementation
+	pkgver = 5.3.2
+	pkgrel = 1
+	url = http://www.strongswan.org
+	arch = i686
+	arch = x86_64
+	license = GPL
+	depends = curl
+	depends = gmp
+	depends = iproute2
+	depends = openssl
+	depends = sqlite
+	conflicts = openswan
+	options = !libtool
+	backup = etc/ipsec.conf
+	backup = etc/strongswan.conf
+	source = https://download.strongswan.org/strongswan-5.3.2.tar.bz2
+	sha256sums = a4a9bc8c4e42bdc4366a87a05a02bf9f425169a7ab0c6f4482d347e44acbf225
+
+pkgname = strongswan
+
diff --git a/CHANGELOG b/CHANGELOG
new file mode 100644
index 000000000000..f7041712694e
--- /dev/null
+++ b/CHANGELOG
@@ -0,0 +1,68 @@
+Added support for IKEv2 make-before-break reauthentication. By using a global
+CHILD_SA reqid allocation mechanism, charon supports overlapping CHILD_SAs.
+This allows the use of make-before-break instead of the previously supported
+break-before-make reauthentication, avoiding connectivity gaps during that
+procedure. As the new mechanism may fail with peers not supporting it (such
+as any previous strongSwan release) it must be explicitly enabled using
+the charon.make_before_break strongswan.conf option.
+
+Support for Signature Authentication in IKEv2 (RFC 7427) has been added.
+This allows the use of stronger hash algorithms for public key authentication.
+
+By default, signature schemes are chosen based on the strength of the
+signature key, but specific hash algorithms may be configured in leftauth.
+Key types and hash algorithms specified in rightauth are now also checked
+against IKEv2 signature schemes. If such constraints are used for certificate
+chain validation in existing configurations, in particular with peers that
+don't support RFC 7427, it may be necessary to disable this feature with the
+charon.signature_authentication_constraints setting, because the signature
+scheme used in classic IKEv2 public key authentication may not be strong
+enough.
+
+The new connmark plugin allows a host to bind conntrack flows to a specific
+CHILD_SA by applying and restoring the SA mark to conntrack entries. This
+allows a peer to handle multiple transport mode connections coming over the
+same NAT device for client-initiated flows (a common use case is to protect
+L2TP/IPsec). See ikev2/host2host-transport-connmark for an example.
+
+The forecast plugin can forward broadcast and multicast messages between
+connected clients and a LAN. For CHILD_SA using unique marks, it sets up
+the required Netfilter rules and uses a multicast/broadcast listener that
+forwards such messages to all connected clients. This plugin is designed for
+Windows 7 IKEv2 clients, which announce their services over the tunnel if the
+negotiated IPsec policy allows it. See ikev2/forecast for an example.
+
+For the vici plugin a Python Egg has been added to allow Python applications
+to control or monitor the IKE daemon using the VICI interface, similar to the
+existing ruby gem. The Python library has been contributed by Björn Schuberg.
+
+EAP server methods now can fulfill public key constraints, such as rightcert
+or rightca. Additionally, public key and signature constraints can be
+specified for EAP methods in the rightauth keyword. Currently the EAP-TLS and
+EAP-TTLS methods provide verification details to constraints checking.
+
+Upgrade of the BLISS post-quantum signature algorithm to the improved BLISS-B
+variant. Can be used in conjunction with the SHA256, SHA384 and SHA512 hash
+algorithms with SHA512 being the default.
+
+The IF-IMV 1.4 interface now makes the IP address of the TNC access requestor
+as seen by the TNC server available to all IMVs. This information can be
+forwarded to policy enforcement points (e.g. firewalls or routers).
+
+The new mutual tnccs-20 plugin parameter activates mutual TNC measurements
+in PB-TNC half-duplex mode between two endpoints over either a PT-EAP or
+PT-TLS transport medium.
+
+SPIs in IKEv1 DELETE payloads are now compared to those of the current IKE SA.
+This is required for interoperability with OpenBSD's isakmpd, which always uses the
+latest IKE SA to delete other expired SAs.
+
+The files plugin provides a simple fetcher for file:// URIs (1735d80f38).
+
+Fixed CRL verification for PKIs that don't use SHA-1 hashes of the public key
+as subjectKeyIdentifier or authorityKeyIdentifier (6133770db4).
+
+Route priorities are now considered when doing manual route lookups (6b57790270).
+
+Policies are now removed from the kernel before IPsec SAs, to avoid acquires
+for untrapped policies (46188b0eb0).
diff --git a/PKGBUILD b/PKGBUILD
new file mode 100644
index 000000000000..5cfec62957f1
--- /dev/null
+++ b/PKGBUILD
@@ -0,0 +1,60 @@
+## Contributor: nikicat <develniks at gmail dot com>
+# Contributor: danilo <gezuru at gmail dot com>
+# Contributor: Jason Begley <jayray at digitalgoat dot com>
+# Contributor: Ray Kohler <ataraxia937 at gmail dot com>
+# Contributor: Daniel Riedemann <daniel.riedemann [at] googlemail [dot] com>
+# Contributor: 458italia <svenskaparadox [at] gmail dot com>
+# Contributor: Thermi <noel [at] familie-kuntze dot com>
+# Former maintainer: dkorzhevin <dkorzhevin at gmail dot com>
+# Maintainer: Thermi <noel [at] familie-kuntze dot com>
+
+pkgname=strongswan
+pkgver=5.3.2
+pkgrel=1
+pkgdesc="open source IPsec implementation"
+url='http://www.strongswan.org'
+license=("GPL")
+arch=('i686' 'x86_64')
+depends=('curl' 'gmp' 'iproute2' 'openssl' 'sqlite')
+conflicts=('openswan')
+options=(!libtool)
+backup=(etc/ipsec.conf etc/strongswan.conf)
+
+source=("https://download.strongswan.org/strongswan-${pkgver}.tar.bz2")
+
+# md5 is broken. We use sha256 now. Alternatively, we could check the signature of the file, but that
+# doesn't yield any more security and just increases the work users initially have to invest.
+sha256sums=('a4a9bc8c4e42bdc4366a87a05a02bf9f425169a7ab0c6f4482d347e44acbf225')
+
+# We don't build libipsec because it would get loaded before kernel-netlink and netkey, which
+# would case processing to be handled in user space. Also, the plugin is experimental. If you need it,
+# add --enable-libipsec and --enable-kernel-libipsec
+
+build() {
+  cd ${srcdir}/${pkgname}-${pkgver}
+
+  ./configure --prefix=/usr \
+        --sbindir=/usr/bin \
+        --sysconfdir=/etc \
+        --libexecdir=/usr/lib \
+        --with-ipsecdir=/usr/lib/strongswan \
+        --enable-sqlite \
+        --enable-openssl --enable-curl \
+        --enable-sql --enable-attr-sql \
+        --enable-farp --enable-dhcp \
+        --enable-eap-sim --enable-eap-sim-file --enable-eap-simaka-pseudonym \
+        --enable-eap-simaka-reauth --enable-eap-identity --enable-eap-md5 \
+        --enable-eap-gtc --enable-eap-aka --enable-eap-aka-3gpp2 \
+        --enable-eap-mschapv2 --enable-eap-radius --enable-xauth-eap \
+        --enable-ha --enable-vici --enable-swanctl --enable-systemd --enable-ext-auth \
+        --disable-mysql --disable-ldap -enable-cmd --enable-forecast --enable-connmark \
+	--enable-aesni
+#	--enable-ruby-gems --enable-python-eggs
+  make
+}
+
+package() {
+  cd "${srcdir}/${pkgname}-${pkgver}"
+  make DESTDIR=${pkgdir} install
+}
+