strongswan: Update to version 6.0.0

  - Update from version 5.9.14 to 6.0.0
- Update of rootfile
- The stroke plugin, which was deprecated in 2014 is no longer enabled by default.
   So it is now enabled expolicitly in this patch.
   The stroke plugin is recommended to be migrated to using the vici plugin but this
   will require a re-write of the ipsec WUI page. Hopefully the removal of the stroke
   plugin will also take many years as the time between deprecation and default
   disabling.
- Also aes, curve25519, des, fips-prf, gmp, hmac, md5, pkcs12, rc2, sha1 & sha2 are no
   longer enabled by default. Most of these don 't need to be enabled as they are
   supported by the openssl plugin whicxh we have had explicitly enabled for some time.
   The openssl plugin is now enabled by default. After some checks to see which plugins
   I needed to enable to match the current set of algorithms I ended up only needing\
   to explicitly enable fips-prf, mgf1 & hmac.
- The ml plugin has also been enbabled so that we have the ML_KEM post quantum key
   exchange algorithms enabled so they can be made available in the ipsec WUI.
- All existing algorithms are available together with the following new ones.
   XOF_MGF1_SHA3_224
   XOF_MGF1_SHA3_256
   XOF_MGF1_SHA3_384
   XOF_MGF1_SHA3_512
   ML_KEM_512
   ML_KEM_768
   ML_KEM_10245
- I also installed the build using 6.0.0 into a vm testbed system and confirmed that my
   existing ipsec connection using the default crypto values from the WUI worked without
   any problems. So existing connections should all be fine.
- Changelog
    6.0.0
	New Feature Additions
	    Support for multiple IKEv2 key exchanges (RFC 9370) has been added
	     (3a850ae). IKE_INTERMEDIATE exchanges (RFC 9242) are used to transport
	     additional KE payloads between the IKE_SA_INIT and IKE_AUTH exchanges. To
	     rekey IKE and Child SAs with multiple key exchanges, IKE_FOLLOWUP_KE
	     exchanges are used, as defined in RFC 9370.
	    In proposals, additional key exchange methods are configured via
	     keX_ prefix, where X is a number between 1 and 7. For example,
	     ke1_mlkem768 adds ML-KEM-768 as additional KE method (works with any key
	     exchange method, whether post-quantum or classic). As with regular key
	     exchanges, peers have to agree on a method for each round unless no
	     algorithms are defined by both or keX_none is configured to make that
	     round explicitly optional.
	    Support for the Module-Lattice-Based Key-Encapsulation Mechanism
	     (ML-KEM, FIPS 203), a key exchange method that, at present, is believed
	     to be secure even against adversaries who possess a quantum computer, has
	     been added via Botan 3.6.0+ (botan plugin), wolfSSL 5.7.4+
	     (wolfssl plugin), AWS-LC 1.37.0+ (openssl plugin), and the new ml plugin.
	     The keywords for ML-KEM-512 (128 bits security strength), ML-KEM-768
	     (192 bits), ML-KEM-1024 (256 bits) are mlkem512, mlkem768 and mlkem1024,
	     respectively.
	    AF_VSOCK sockets can be used on Linux to communicate with a daemon that
	     runs in a VM (e.g. via the vici plugin).
	    The file logger can optionally log messages as JSON objects (a2fba6d,
	     bea1f11, see the docs for details), and can add timestamps in
	     microseconds via the new time_precision setting (#2475).
	Enhancements and Optimizations
	    Handling of CHILD_SA rekey collisions has been improved (d2b2e1b). This
	     makes CHILD_SAs properly trackable via child_rekey() hook and some corner
	     cases are also handled correctly e.g. if a responder's DELETE for the new
	     CHILD_SA arrives before its CREATE_CHILD_SA response that creates that SA
	     in the first place. Also handled properly are responders of rekeyings
	     that incorrectly send a DELETE for the old CHILD_SA (previously, this
	     caused both, the new and the old SA, to get deleted).
	    The behavior when reloading or unloading connections that include start in
	     their start_action has been improved (#2324, #2418).
	    If no identity is configured but a certificate is available, the subject
	     DN is used instead of the IP address (#2353).
	    The cert-enroll script now supports three generations of CA certificates
	     (f59ca96).
	    IKE ports are now considered when matching connections (9228a51, 6928709).
	    The base address of in-memory IP address pools is now reported as
	     configured (#2264).
	    IKE fragment sizes can be configured for each address family explicitly
	     (84bd011).
	    The openssl plugin can use the EVP_DigestSqueeze() API for XOFs, which was
	     introduced with OpenSSL 3.3 (3d0f695).
	    The kernel-netlink plugin explicitly configures the direction of IPsec SAs
	     when running on 6.10+ kernels (abdc787).
	    The Android app was updated for compatibility with Android 14 (740cbb2), a
	     bug was fixed that affects importing already existing VPN profiles
	     (9b9cf20).
	Fixes
	    The NetworkManager plugin (charon-nm) now uses a different routing table
	     than the regular IKE daemon to avoid conflicts if both are running (#2230).
	    TUN devices can properly handle IPv6 addresses (fccc764) and routes via
	     them are now correctly installed on FreeBSD (bf165af).
	    Reassigning a matching online lease is now preferred over an offline lease
	     by the in-memory IP address pool to avoid conflicts with make-before-break
	     reauthentication and multiple IKE_SAs per identity (#2472).
	    To avoid conflicts with other processes when using ephemeral UDP ports,
	     the socket-default plugin now always opens IPv4 sockets before IPv6
	     sockets (#2494).
	    Challenge passwords in PKCS#10 containers are again encoded as
	     PrintableString if possible to be compatible with older SCEP
	     implementations (8e88d56).
	    The vici plugin now uses the same ESP proposals (AEAD before regular) when
	     configuring default instead of not configuring esp_proposals at all
	     (8e020bc).
	    Fixed handling of adopted reqids during IKEv1 rekeying (d02aea9, bug was
	     introduced in 5.9.12).
	    A typo in the cert-enroll script prevented successful signalling of a
	     change of the sub CA certificate (957aae8).
	Plugin and Configuration Changes
	    The legacy stroke plugin is no longer enabled by default and must be
	     enabled explicitly.
	    The openssl plugin is now enabled by default, while the following crypto
	     plugins are no longer enabled by default: aes, curve25519, des, fips-prf,
	     gmp, hmac, md5, pkcs12, rc2, sha1, sha2.
	    The following deprecated plugins have been removed: bliss (signature
	     scheme), newhope (key exchange method), ntru (key exchange method).
	    charon.make_before_break is now enabled by default, which initiates IKEv2
	     reauthentication with a make-before-break instead of a break-before-make
	     scheme. Make-before-break creates overlapping IKE and Child SA during
	     reauthentication by first recreating all SAs before deleting the old ones.
	     This behavior can be beneficial to avoid connectivity gaps during
	     reauthentication (unlike rekeying still not completely without
	     interruption), but requires support for overlapping SAs by the peer.
	     strongSwan can handle such overlapping SAs since version 5.3.0.
	For Developers
	    Using the child_rekey() hook now allows tracking CHILD_SAs correctly in
	     case of rekey collisions. The event is generally only triggered once
	     after installing the outbound SA for the new/winning CHILD_SA. However,
	     in some cases the event is triggered twice, but it is now ensured that
	     listeners can properly transition to the winning SA.
	    Refer to the documentation of key_exchange_method_t interface to learn how
	     KEMs can be implemented in plugins.
	    The format of key exchange test vectors has been changed so they can be
	     used for KEMs and classic DH methods (4067678).
	    The NetworkManager frontend's build files have been updated to not rely on
	     gnome-common. It now also uses gettext directly instead of intltool
	     (5019e3e).
	    Performance of running tests in the testing environment has been improved.
	Refer to the 6.0.0 milestone for a list of all closed issues and pull requests.

Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/common/strongswan | 30 +++++-------------------------
 lfs/strongswan                     | 13 ++++++++-----
 2 files changed, 13 insertions(+), 30 deletions(-)