include $(TOPDIR)/rules.mk
PKG_NAME:=strongswan
-PKG_VERSION:=5.3.5
-PKG_RELEASE:=3
+PKG_VERSION:=5.4.0
+PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=http://download.strongswan.org/ http://download2.strongswan.org/
-PKG_MD5SUM:=a2f9ea185f27e7f8413d4cd2ee61efe4
+PKG_MD5SUM:=9d7c77b0da9b69f859624897e5e9ebbf
PKG_LICENSE:=GPL-2.0+
PKG_MAINTAINER:=Steven Barth <cyrus@openwrt.org>
$(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/ipsec.conf $(1)/etc/
$(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/strongswan.conf $(1)/etc/
$(INSTALL_DIR) $(1)/usr/lib/ipsec
- $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/{libstrongswan.so.*,libhydra.so.*} $(1)/usr/lib/ipsec/
+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/libstrongswan.so.* $(1)/usr/lib/ipsec/
$(INSTALL_CONF) ./files/ipsec.secrets $(1)/etc/
$(INSTALL_CONF) ./files/ipsec.user $(1)/etc/
$(INSTALL_DIR) $(1)/etc/init.d
$(eval $(call BuildPlugin,sql,SQL database interface,))
$(eval $(call BuildPlugin,sqlite,SQLite database interface,+strongswan-mod-sql +PACKAGE_strongswan-mod-sqlite:libsqlite3))
$(eval $(call BuildPlugin,sshkey,SSH key decoding,))
-$(eval $(call BuildPlugin,stroke,Stroke,+strongswan-utils))
+$(eval $(call BuildPlugin,stroke,Stroke,+strongswan-charon +strongswan-utils))
$(eval $(call BuildPlugin,test-vectors,crypto test vectors,))
$(eval $(call BuildPlugin,uci,UCI config interface,+PACKAGE_strongswan-mod-uci:libuci))
$(eval $(call BuildPlugin,unity,Cisco Unity extension,))
+#undef blkcnt_t
+#undef crypt
+#undef encrypt
---- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
-+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
++++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -18,6 +18,8 @@
* for more details.
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <stdint.h>
---- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
-+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_net.c
+--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
++++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
@@ -37,6 +37,8 @@
* THE SOFTWARE.
*/
#include <sys/socket.h>
#include <sys/utsname.h>
#include <linux/netlink.h>
---- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
-+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_shared.c
+--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
++++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
@@ -15,6 +15,8 @@
* for more details.
*/
+++ /dev/null
-From 1f642f872abe39cb5a67a87c4e9b63c9d78657d7 Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Mon, 30 Nov 2015 16:30:22 +0100
-Subject: [PATCH 2/2] forecast: Fix alignment when adding rules
-
-Basically the same issue as with the connmark plugin.
-
- #1212
----
- src/libcharon/plugins/forecast/forecast_listener.c | 247 +++++++++++----------
- 1 file changed, 133 insertions(+), 114 deletions(-)
-
-diff --git a/src/libcharon/plugins/forecast/forecast_listener.c b/src/libcharon/plugins/forecast/forecast_listener.c
-index 63a8cb1..7e93617 100644
---- a/src/libcharon/plugins/forecast/forecast_listener.c
-+++ b/src/libcharon/plugins/forecast/forecast_listener.c
-@@ -1,4 +1,7 @@
- /*
-+ * Copyright (C) 2015 Tobias Brunner
-+ * Hochschule fuer Technik Rapperswil
-+ *
- * Copyright (C) 2010-2014 Martin Willi
- * Copyright (C) 2010-2014 revosec AG
- *
-@@ -25,6 +28,15 @@
- #include <collections/hashtable.h>
- #include <threading/rwlock.h>
-
-+/**
-+ * Add a struct at the current position in the buffer
-+ */
-+#define ADD_STRUCT(pos, st, ...) ({\
-+ typeof(pos) _cur = pos; pos += XT_ALIGN(sizeof(st));\
-+ *(st*)_cur = (st){ __VA_ARGS__ };\
-+ (st*)_cur;\
-+})
-+
- typedef struct private_forecast_listener_t private_forecast_listener_t;
-
- /**
-@@ -164,60 +176,60 @@ static bool manage_rule(struct iptc_handle *ipth, const char *chain,
- static bool manage_pre_esp_in_udp(struct iptc_handle *ipth,
- entry_t *entry, bool add)
- {
-- struct {
-- struct ipt_entry e;
-- struct ipt_entry_match m;
-- struct xt_udp udp;
-- struct ipt_entry_target t;
-- struct xt_mark_tginfo2 tm;
-- } ipt = {
-- .e = {
-- .target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) +
-- sizeof(ipt.udp)),
-- .next_offset = sizeof(ipt),
-- .ip = {
-- .proto = IPPROTO_UDP,
-- },
-+ u_int16_t match_size = XT_ALIGN(sizeof(struct ipt_entry_match)) +
-+ XT_ALIGN(sizeof(struct xt_udp));
-+ u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size;
-+ u_int16_t target_size = XT_ALIGN(sizeof(struct ipt_entry_target)) +
-+ XT_ALIGN(sizeof(struct xt_mark_tginfo2));
-+ u_int16_t entry_size = target_offset + target_size;
-+ u_char ipt[entry_size], *pos = ipt;
-+ struct ipt_entry *e;
-+
-+ memset(ipt, 0, sizeof(ipt));
-+ e = ADD_STRUCT(pos, struct ipt_entry,
-+ .target_offset = target_offset,
-+ .next_offset = entry_size,
-+ .ip = {
-+ .proto = IPPROTO_UDP,
- },
-- .m = {
-- .u = {
-- .user = {
-- .match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.udp)),
-- .name = "udp",
-- },
-+ );
-+ if (!host2in(entry->lhost, &e->ip.dst, &e->ip.dmsk) ||
-+ !host2in(entry->rhost, &e->ip.src, &e->ip.smsk))
-+ {
-+ return FALSE;
-+ }
-+ ADD_STRUCT(pos, struct ipt_entry_match,
-+ .u = {
-+ .user = {
-+ .match_size = match_size,
-+ .name = "udp",
- },
- },
-- .udp = {
-- .spts = {
-- entry->rhost->get_port(entry->rhost),
-- entry->rhost->get_port(entry->lhost)
-- },
-- .dpts = {
-- entry->lhost->get_port(entry->lhost),
-- entry->lhost->get_port(entry->lhost)
-- },
-+ );
-+ ADD_STRUCT(pos, struct xt_udp,
-+ .spts = {
-+ entry->rhost->get_port(entry->rhost),
-+ entry->rhost->get_port(entry->lhost)
- },
-- .t = {
-- .u = {
-- .user = {
-- .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)),
-- .name = "MARK",
-- .revision = 2,
-- },
-- },
-+ .dpts = {
-+ entry->lhost->get_port(entry->lhost),
-+ entry->lhost->get_port(entry->lhost)
- },
-- .tm = {
-- .mark = entry->mark,
-- .mask = ~0,
-+ );
-+ ADD_STRUCT(pos, struct ipt_entry_target,
-+ .u = {
-+ .user = {
-+ .target_size = target_size,
-+ .name = "MARK",
-+ .revision = 2,
-+ },
- },
-- };
--
-- if (!host2in(entry->lhost, &ipt.e.ip.dst, &ipt.e.ip.dmsk) ||
-- !host2in(entry->rhost, &ipt.e.ip.src, &ipt.e.ip.smsk))
-- {
-- return FALSE;
-- }
-- return manage_rule(ipth, "PREROUTING", add, &ipt.e);
-+ );
-+ ADD_STRUCT(pos, struct xt_mark_tginfo2,
-+ .mark = entry->mark,
-+ .mask = ~0,
-+ );
-+ return manage_rule(ipth, "PREROUTING", add, e);
- }
-
- /**
-@@ -225,53 +237,53 @@ static bool manage_pre_esp_in_udp(struct iptc_handle *ipth,
- */
- static bool manage_pre_esp(struct iptc_handle *ipth, entry_t *entry, bool add)
- {
-- struct {
-- struct ipt_entry e;
-- struct ipt_entry_match m;
-- struct xt_esp esp;
-- struct ipt_entry_target t;
-- struct xt_mark_tginfo2 tm;
-- } ipt = {
-- .e = {
-- .target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) +
-- sizeof(ipt.esp)),
-- .next_offset = sizeof(ipt),
-- .ip = {
-- .proto = IPPROTO_ESP,
-- },
-+ u_int16_t match_size = XT_ALIGN(sizeof(struct ipt_entry_match)) +
-+ XT_ALIGN(sizeof(struct xt_esp));
-+ u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size;
-+ u_int16_t target_size = XT_ALIGN(sizeof(struct ipt_entry_target)) +
-+ XT_ALIGN(sizeof(struct xt_mark_tginfo2));
-+ u_int16_t entry_size = target_offset + target_size;
-+ u_char ipt[entry_size], *pos = ipt;
-+ struct ipt_entry *e;
-+
-+ memset(ipt, 0, sizeof(ipt));
-+ e = ADD_STRUCT(pos, struct ipt_entry,
-+ .target_offset = target_offset,
-+ .next_offset = entry_size,
-+ .ip = {
-+ .proto = IPPROTO_ESP,
- },
-- .m = {
-- .u = {
-- .user = {
-- .match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.esp)),
-- .name = "esp",
-- },
-+ );
-+ if (!host2in(entry->lhost, &e->ip.dst, &e->ip.dmsk) ||
-+ !host2in(entry->rhost, &e->ip.src, &e->ip.smsk))
-+ {
-+ return FALSE;
-+ }
-+ ADD_STRUCT(pos, struct ipt_entry_match,
-+ .u = {
-+ .user = {
-+ .match_size = match_size,
-+ .name = "esp",
- },
- },
-- .esp = {
-- .spis = { htonl(entry->spi), htonl(entry->spi) },
-- },
-- .t = {
-- .u = {
-- .user = {
-- .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)),
-- .name = "MARK",
-- .revision = 2,
-- },
-+ );
-+ ADD_STRUCT(pos, struct xt_esp,
-+ .spis = { htonl(entry->spi), htonl(entry->spi) },
-+ );
-+ ADD_STRUCT(pos, struct ipt_entry_target,
-+ .u = {
-+ .user = {
-+ .target_size = target_size,
-+ .name = "MARK",
-+ .revision = 2,
- },
- },
-- .tm = {
-- .mark = entry->mark,
-- .mask = ~0,
-- },
-- };
--
-- if (!host2in(entry->lhost, &ipt.e.ip.dst, &ipt.e.ip.dmsk) ||
-- !host2in(entry->rhost, &ipt.e.ip.src, &ipt.e.ip.smsk))
-- {
-- return FALSE;
-- }
-- return manage_rule(ipth, "PREROUTING", add, &ipt.e);
-+ );
-+ ADD_STRUCT(pos, struct xt_mark_tginfo2,
-+ .mark = entry->mark,
-+ .mask = ~0,
-+ );
-+ return manage_rule(ipth, "PREROUTING", add, e);
- }
-
- /**
-@@ -291,45 +303,52 @@ static bool manage_pre(struct iptc_handle *ipth, entry_t *entry, bool add)
- */
- static bool manage_out(struct iptc_handle *ipth, entry_t *entry, bool add)
- {
-- struct {
-- struct ipt_entry e;
-- struct ipt_entry_target t;
-- struct xt_mark_tginfo2 m;
-- } ipt = {
-- .e = {
-- .target_offset = XT_ALIGN(sizeof(ipt.e)),
-- .next_offset = sizeof(ipt),
-- },
-- .t = {
-- .u.user.target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.m)),
-- .u.user.name = "MARK",
-- .u.user.revision = 2,
-- },
-- .m = {
-- .mark = entry->mark,
-- .mask = ~0,
-+ u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry));
-+ u_int16_t target_size = XT_ALIGN(sizeof(struct ipt_entry_target)) +
-+ XT_ALIGN(sizeof(struct xt_mark_tginfo2));
-+ u_int16_t entry_size = target_offset + target_size;
-+ u_char ipt[entry_size], *pos = ipt;
-+ struct ipt_entry *e;
-+
-+ memset(ipt, 0, sizeof(ipt));
-+ e = ADD_STRUCT(pos, struct ipt_entry,
-+ .target_offset = target_offset,
-+ .next_offset = entry_size,
-+ );
-+ ADD_STRUCT(pos, struct ipt_entry_target,
-+ .u = {
-+ .user = {
-+ .target_size = target_size,
-+ .name = "MARK",
-+ .revision = 2,
-+ },
- },
-- };
-+ );
-+ ADD_STRUCT(pos, struct xt_mark_tginfo2,
-+ .mark = entry->mark,
-+ .mask = ~0,
-+ );
-+
- enumerator_t *enumerator;
- traffic_selector_t *ts;
-
- enumerator = array_create_enumerator(entry->rts);
- while (enumerator->enumerate(enumerator, &ts))
- {
-- if (!ts2in(ts, &ipt.e.ip.dst, &ipt.e.ip.dmsk))
-+ if (!ts2in(ts, &e->ip.dst, &e->ip.dmsk))
- {
- continue;
- }
-- if (ipt.e.ip.dst.s_addr == 0xffffffff ||
-- ipt.e.ip.dst.s_addr == entry->broadcast ||
-- memeq(&ipt.e.ip.dst.s_addr, "\xe0", 1))
-+ if (e->ip.dst.s_addr == 0xffffffff ||
-+ e->ip.dst.s_addr == entry->broadcast ||
-+ memeq(&e->ip.dst.s_addr, "\xe0", 1))
- {
- /* skip broadcast/multicast selectors, they are shared and the mark
- * is set by the socket we use for reinjection */
- continue;
- }
-- if (!manage_rule(ipth, "PREROUTING", add, &ipt.e) ||
-- !manage_rule(ipth, "OUTPUT", add, &ipt.e))
-+ if (!manage_rule(ipth, "PREROUTING", add, e) ||
-+ !manage_rule(ipth, "OUTPUT", add, e))
- {
- enumerator->destroy(enumerator);
- return FALSE;
---
-2.4.10
+++ /dev/null
-From a4d7f5ee6f36decdcd18d70078e1f0a847fe9b24 Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias@strongswan.org>
-Date: Mon, 30 Nov 2015 16:04:35 +0100
-Subject: [PATCH 1/2] connmark: Fix alignment when adding rules
-
-The structs that make up a message sent to the kernel have all to be
-aligned with XT_ALIGN. That was not necessarily the case when
-initializing the complete message as struct.
-
- #1212
----
- src/libcharon/plugins/connmark/connmark_listener.c | 332 +++++++++++----------
- 1 file changed, 172 insertions(+), 160 deletions(-)
-
-diff --git a/src/libcharon/plugins/connmark/connmark_listener.c b/src/libcharon/plugins/connmark/connmark_listener.c
-index 23df690..cd53701 100644
---- a/src/libcharon/plugins/connmark/connmark_listener.c
-+++ b/src/libcharon/plugins/connmark/connmark_listener.c
-@@ -1,4 +1,7 @@
- /*
-+ * Copyright (C) 2015 Tobias Brunner
-+ * Hochschule fuer Technik Rapperswil
-+ *
- * Copyright (C) 2014 Martin Willi
- * Copyright (C) 2014 revosec AG
- *
-@@ -25,6 +28,14 @@
- #include <linux/netfilter/xt_policy.h>
- #include <linux/netfilter/xt_CONNMARK.h>
-
-+/**
-+ * Add a struct at the current position in the buffer
-+ */
-+#define ADD_STRUCT(pos, st, ...) ({\
-+ typeof(pos) _cur = pos; pos += XT_ALIGN(sizeof(st));\
-+ *(st*)_cur = (st){ __VA_ARGS__ };\
-+ (st*)_cur;\
-+})
-
- typedef struct private_connmark_listener_t private_connmark_listener_t;
-
-@@ -108,54 +119,54 @@ static bool manage_pre_esp_in_udp(private_connmark_listener_t *this,
- u_int mark, u_int32_t spi,
- host_t *dst, host_t *src)
- {
-- struct {
-- struct ipt_entry e;
-- struct ipt_entry_match m;
-- struct xt_udp udp;
-- struct ipt_entry_target t;
-- struct xt_mark_tginfo2 tm;
-- } ipt = {
-- .e = {
-- .target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) +
-- sizeof(ipt.udp)),
-- .next_offset = sizeof(ipt),
-- .ip = {
-- .proto = IPPROTO_UDP,
-- },
-+ u_int16_t match_size = XT_ALIGN(sizeof(struct ipt_entry_match)) +
-+ XT_ALIGN(sizeof(struct xt_udp));
-+ u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size;
-+ u_int16_t target_size = XT_ALIGN(sizeof(struct ipt_entry_target)) +
-+ XT_ALIGN(sizeof(struct xt_mark_tginfo2));
-+ u_int16_t entry_size = target_offset + target_size;
-+ u_char ipt[entry_size], *pos = ipt;
-+ struct ipt_entry *e;
-+
-+ memset(ipt, 0, sizeof(ipt));
-+ e = ADD_STRUCT(pos, struct ipt_entry,
-+ .target_offset = target_offset,
-+ .next_offset = entry_size,
-+ .ip = {
-+ .proto = IPPROTO_UDP,
- },
-- .m = {
-- .u = {
-- .user = {
-- .match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.udp)),
-- .name = "udp",
-- },
-+ );
-+ if (!host2in(dst, &e->ip.dst, &e->ip.dmsk) ||
-+ !host2in(src, &e->ip.src, &e->ip.smsk))
-+ {
-+ return FALSE;
-+ }
-+ ADD_STRUCT(pos, struct ipt_entry_match,
-+ .u = {
-+ .user = {
-+ .match_size = match_size,
-+ .name = "udp",
- },
- },
-- .udp = {
-- .spts = { src->get_port(src), src->get_port(src) },
-- .dpts = { dst->get_port(dst), dst->get_port(dst) },
-- },
-- .t = {
-- .u = {
-- .user = {
-- .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)),
-- .name = "MARK",
-- .revision = 2,
-- },
-+ );
-+ ADD_STRUCT(pos, struct xt_udp,
-+ .spts = { src->get_port(src), src->get_port(src) },
-+ .dpts = { dst->get_port(dst), dst->get_port(dst) },
-+ );
-+ ADD_STRUCT(pos, struct ipt_entry_target,
-+ .u = {
-+ .user = {
-+ .target_size = target_size,
-+ .name = "MARK",
-+ .revision = 2,
- },
- },
-- .tm = {
-- .mark = mark,
-- .mask = ~0,
-- },
-- };
--
-- if (!host2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) ||
-- !host2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk))
-- {
-- return FALSE;
-- }
-- return manage_rule(ipth, "PREROUTING", add, &ipt.e);
-+ );
-+ ADD_STRUCT(pos, struct xt_mark_tginfo2,
-+ .mark = mark,
-+ .mask = ~0,
-+ );
-+ return manage_rule(ipth, "PREROUTING", add, e);
- }
-
- /**
-@@ -166,53 +177,53 @@ static bool manage_pre_esp(private_connmark_listener_t *this,
- u_int mark, u_int32_t spi,
- host_t *dst, host_t *src)
- {
-- struct {
-- struct ipt_entry e;
-- struct ipt_entry_match m;
-- struct xt_esp esp;
-- struct ipt_entry_target t;
-- struct xt_mark_tginfo2 tm;
-- } ipt = {
-- .e = {
-- .target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) +
-- sizeof(ipt.esp)),
-- .next_offset = sizeof(ipt),
-- .ip = {
-- .proto = IPPROTO_ESP,
-- },
-+ u_int16_t match_size = XT_ALIGN(sizeof(struct ipt_entry_match)) +
-+ XT_ALIGN(sizeof(struct xt_esp));
-+ u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size;
-+ u_int16_t target_size = XT_ALIGN(sizeof(struct ipt_entry_target)) +
-+ XT_ALIGN(sizeof(struct xt_mark_tginfo2));
-+ u_int16_t entry_size = target_offset + target_size;
-+ u_char ipt[entry_size], *pos = ipt;
-+ struct ipt_entry *e;
-+
-+ memset(ipt, 0, sizeof(ipt));
-+ e = ADD_STRUCT(pos, struct ipt_entry,
-+ .target_offset = target_offset,
-+ .next_offset = entry_size,
-+ .ip = {
-+ .proto = IPPROTO_ESP,
- },
-- .m = {
-- .u = {
-- .user = {
-- .match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.esp)),
-- .name = "esp",
-- },
-+ );
-+ if (!host2in(dst, &e->ip.dst, &e->ip.dmsk) ||
-+ !host2in(src, &e->ip.src, &e->ip.smsk))
-+ {
-+ return FALSE;
-+ }
-+ ADD_STRUCT(pos, struct ipt_entry_match,
-+ .u = {
-+ .user = {
-+ .match_size = match_size,
-+ .name = "esp",
- },
- },
-- .esp = {
-- .spis = { htonl(spi), htonl(spi) },
-- },
-- .t = {
-- .u = {
-- .user = {
-- .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.tm)),
-- .name = "MARK",
-- .revision = 2,
-- },
-+ );
-+ ADD_STRUCT(pos, struct xt_esp,
-+ .spis = { htonl(spi), htonl(spi) },
-+ );
-+ ADD_STRUCT(pos, struct ipt_entry_target,
-+ .u = {
-+ .user = {
-+ .target_size = target_size,
-+ .name = "MARK",
-+ .revision = 2,
- },
- },
-- .tm = {
-- .mark = mark,
-- .mask = ~0,
-- },
-- };
--
-- if (!host2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) ||
-- !host2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk))
-- {
-- return FALSE;
-- }
-- return manage_rule(ipth, "PREROUTING", add, &ipt.e);
-+ );
-+ ADD_STRUCT(pos, struct xt_mark_tginfo2,
-+ .mark = mark,
-+ .mask = ~0,
-+ );
-+ return manage_rule(ipth, "PREROUTING", add, e);
- }
-
- /**
-@@ -238,59 +249,59 @@ static bool manage_in(private_connmark_listener_t *this,
- u_int mark, u_int32_t spi,
- traffic_selector_t *dst, traffic_selector_t *src)
- {
-- struct {
-- struct ipt_entry e;
-- struct ipt_entry_match m;
-- struct xt_policy_info p;
-- struct ipt_entry_target t;
-- struct xt_connmark_tginfo1 cm;
-- } ipt = {
-- .e = {
-- .target_offset = XT_ALIGN(sizeof(ipt.e) + sizeof(ipt.m) +
-- sizeof(ipt.p)),
-- .next_offset = sizeof(ipt),
-- },
-- .m = {
-- .u = {
-- .user = {
-- .match_size = XT_ALIGN(sizeof(ipt.m) + sizeof(ipt.p)),
-- .name = "policy",
-- },
-+ u_int16_t match_size = XT_ALIGN(sizeof(struct ipt_entry_match)) +
-+ XT_ALIGN(sizeof(struct xt_policy_info));
-+ u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry)) + match_size;
-+ u_int16_t target_size = XT_ALIGN(sizeof(struct ipt_entry_target)) +
-+ XT_ALIGN(sizeof(struct xt_connmark_tginfo1));
-+ u_int16_t entry_size = target_offset + target_size;
-+ u_char ipt[entry_size], *pos = ipt;
-+ struct ipt_entry *e;
-+
-+ memset(ipt, 0, sizeof(ipt));
-+ e = ADD_STRUCT(pos, struct ipt_entry,
-+ .target_offset = target_offset,
-+ .next_offset = entry_size,
-+ );
-+ if (!ts2in(dst, &e->ip.dst, &e->ip.dmsk) ||
-+ !ts2in(src, &e->ip.src, &e->ip.smsk))
-+ {
-+ return FALSE;
-+ }
-+ ADD_STRUCT(pos, struct ipt_entry_match,
-+ .u = {
-+ .user = {
-+ .match_size = match_size,
-+ .name = "policy",
- },
- },
-- .p = {
-- .pol = {
-- {
-- .spi = spi,
-- .match.spi = 1,
-- },
-+ );
-+ ADD_STRUCT(pos, struct xt_policy_info,
-+ .pol = {
-+ {
-+ .spi = spi,
-+ .match.spi = 1,
- },
-- .len = 1,
-- .flags = XT_POLICY_MATCH_IN,
- },
-- .t = {
-- .u = {
-- .user = {
-- .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.cm)),
-- .name = "CONNMARK",
-- .revision = 1,
-- },
-+ .len = 1,
-+ .flags = XT_POLICY_MATCH_IN,
-+ );
-+ ADD_STRUCT(pos, struct ipt_entry_target,
-+ .u = {
-+ .user = {
-+ .target_size = target_size,
-+ .name = "CONNMARK",
-+ .revision = 1,
- },
- },
-- .cm = {
-- .ctmark = mark,
-- .ctmask = ~0,
-- .nfmask = ~0,
-- .mode = XT_CONNMARK_SET,
-- },
-- };
--
-- if (!ts2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) ||
-- !ts2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk))
-- {
-- return FALSE;
-- }
-- return manage_rule(ipth, "INPUT", add, &ipt.e);
-+ );
-+ ADD_STRUCT(pos, struct xt_connmark_tginfo1,
-+ .ctmark = mark,
-+ .ctmask = ~0,
-+ .nfmask = ~0,
-+ .mode = XT_CONNMARK_SET,
-+ );
-+ return manage_rule(ipth, "INPUT", add, e);
- }
-
- /**
-@@ -300,37 +311,38 @@ static bool manage_out(private_connmark_listener_t *this,
- struct iptc_handle *ipth, bool add,
- traffic_selector_t *dst, traffic_selector_t *src)
- {
-- struct {
-- struct ipt_entry e;
-- struct ipt_entry_target t;
-- struct xt_connmark_tginfo1 cm;
-- } ipt = {
-- .e = {
-- .target_offset = XT_ALIGN(sizeof(ipt.e)),
-- .next_offset = sizeof(ipt),
-- },
-- .t = {
-- .u = {
-- .user = {
-- .target_size = XT_ALIGN(sizeof(ipt.t) + sizeof(ipt.cm)),
-- .name = "CONNMARK",
-- .revision = 1,
-- },
-- },
-- },
-- .cm = {
-- .ctmask = ~0,
-- .nfmask = ~0,
-- .mode = XT_CONNMARK_RESTORE,
-- },
-- };
--
-- if (!ts2in(dst, &ipt.e.ip.dst, &ipt.e.ip.dmsk) ||
-- !ts2in(src, &ipt.e.ip.src, &ipt.e.ip.smsk))
-+ u_int16_t target_offset = XT_ALIGN(sizeof(struct ipt_entry));
-+ u_int16_t target_size = XT_ALIGN(sizeof(struct ipt_entry_target)) +
-+ XT_ALIGN(sizeof(struct xt_connmark_tginfo1));
-+ u_int16_t entry_size = target_offset + target_size;
-+ u_char ipt[entry_size], *pos = ipt;
-+ struct ipt_entry *e;
-+
-+ memset(ipt, 0, sizeof(ipt));
-+ e = ADD_STRUCT(pos, struct ipt_entry,
-+ .target_offset = target_offset,
-+ .next_offset = entry_size,
-+ );
-+ if (!ts2in(dst, &e->ip.dst, &e->ip.dmsk) ||
-+ !ts2in(src, &e->ip.src, &e->ip.smsk))
- {
- return FALSE;
- }
-- return manage_rule(ipth, "OUTPUT", add, &ipt.e);
-+ ADD_STRUCT(pos, struct ipt_entry_target,
-+ .u = {
-+ .user = {
-+ .target_size = target_size,
-+ .name = "CONNMARK",
-+ .revision = 1,
-+ },
-+ },
-+ );
-+ ADD_STRUCT(pos, struct xt_connmark_tginfo1,
-+ .ctmask = ~0,
-+ .nfmask = ~0,
-+ .mode = XT_CONNMARK_RESTORE,
-+ );
-+ return manage_rule(ipth, "OUTPUT", add, e);
- }
-
- /**
---
-2.4.10
--- a/src/starter/netkey.c
+++ b/src/starter/netkey.c
-@@ -31,7 +31,7 @@ bool starter_netkey_init(void)
+@@ -30,7 +30,7 @@ bool starter_netkey_init(void)
/* af_key module makes the netkey proc interface visible */
if (stat(PROC_MODULES, &stb) == 0)
{
}
/* now test again */
-@@ -45,11 +45,11 @@ bool starter_netkey_init(void)
+@@ -44,11 +44,11 @@ bool starter_netkey_init(void)
/* make sure that all required IPsec modules are loaded */
if (stat(PROC_MODULES, &stb) == 0)
{
loop=110
while [ $loop -gt 0 ] ; do
kill -0 $spid 2>/dev/null || break
-- sleep 0.1
-+ sleep 1
- loop=$(($loop - 1))
- done
- if [ $loop -eq 0 ]
+- sleep 0.1 2>/dev/null
++ sleep 1 2>/dev/null
+ if [ $? -ne 0 ]
+ then
+ sleep 1
ARG_DISBL_SET([hmac], [disable HMAC crypto implementation plugin.])
ARG_ENABL_SET([md4], [enable MD4 software implementation plugin.])
ARG_DISBL_SET([md5], [disable MD5 software implementation plugin.])
-@@ -1312,6 +1313,7 @@ ADD_PLUGIN([gcrypt], [s ch
+@@ -1325,6 +1326,7 @@ ADD_PLUGIN([gcrypt], [s ch
ADD_PLUGIN([af-alg], [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
ADD_PLUGIN([fips-prf], [s charon nm cmd])
ADD_PLUGIN([gmp], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
ADD_PLUGIN([agent], [s charon nm cmd])
ADD_PLUGIN([keychain], [s charon cmd])
ADD_PLUGIN([chapoly], [s charon scripts nm cmd])
-@@ -1444,6 +1446,7 @@ AM_CONDITIONAL(USE_SHA2, test x$sha2 = x
+@@ -1458,6 +1460,7 @@ AM_CONDITIONAL(USE_SHA2, test x$sha2 = x
AM_CONDITIONAL(USE_SHA3, test x$sha3 = xtrue)
AM_CONDITIONAL(USE_FIPS_PRF, test x$fips_prf = xtrue)
AM_CONDITIONAL(USE_GMP, test x$gmp = xtrue)
AM_CONDITIONAL(USE_RDRAND, test x$rdrand = xtrue)
AM_CONDITIONAL(USE_AESNI, test x$aesni = xtrue)
AM_CONDITIONAL(USE_RANDOM, test x$random = xtrue)
-@@ -1692,6 +1695,7 @@ AC_CONFIG_FILES([
+@@ -1707,6 +1710,7 @@ AC_CONFIG_FILES([
src/libstrongswan/plugins/sha3/Makefile
src/libstrongswan/plugins/fips_prf/Makefile
src/libstrongswan/plugins/gmp/Makefile
src/libstrongswan/plugins/random/Makefile
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
-@@ -303,6 +303,13 @@ if MONOLITHIC
+@@ -305,6 +305,13 @@ if MONOLITHIC
endif
endif
projects / feed / packages.git / commitdiff