AA: strongswan: update to the latest version to fix various security issues, includin...
authorFelix Fietkau <nbd@openwrt.org>
Tue, 15 Apr 2014 17:28:55 +0000 (17:28 +0000)
committerFelix Fietkau <nbd@openwrt.org>
Tue, 15 Apr 2014 17:28:55 +0000 (17:28 +0000)
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 40518

net/strongswan/Makefile
net/strongswan/files/ipsec.init [new file with mode: 0644]
net/strongswan/files/ipsec.user [new file with mode: 0644]
net/strongswan/patches/100-method_name_fix.patch [new file with mode: 0644]
net/strongswan/patches/201-kmodloader.patch [new file with mode: 0644]
net/strongswan/patches/201-no-modprobe.patch [deleted file]
net/strongswan/patches/300-include-ipsec-user-script.patch [new file with mode: 0644]

index cb8f95fd64919bef30402ea37cc938c763cd8ed7..a0a8a6c5a93d3743f06a901eaa9fed2eeb4ad233 100644 (file)
@@ -1,5 +1,5 @@
-# 
-# Copyright (C) 2012 OpenWrt.org
+#
+# Copyright (C) 2012-2014 OpenWrt.org
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=strongswan
-PKG_VERSION:=5.0.0
+PKG_VERSION:=5.1.3
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
-PKG_SOURCE_URL:=http://download.strongswan.org/
-PKG_MD5SUM:=c8b861305def7c0abae04f7bbefec212
+PKG_SOURCE_URL:=http://download.strongswan.org/ http://download2.strongswan.org/
+PKG_MD5SUM:=1d1c108775242743cd8699215b2918c3
 
 PKG_MOD_AVAILABLE:= \
        addrblock \
@@ -36,6 +36,7 @@ PKG_MOD_AVAILABLE:= \
        eap-identity \
        eap-md5 \
        eap-mschapv2 \
+       eap-radius \
        farp \
        fips-prf \
        gcm \
@@ -44,6 +45,7 @@ PKG_MOD_AVAILABLE:= \
        ha \
        hmac \
        kernel-klips \
+       kernel-libipsec \
        kernel-netlink \
        kernel-pfkey \
        ldap \
@@ -69,18 +71,18 @@ PKG_MOD_AVAILABLE:= \
        smp \
        socket-default \
        socket-dynamic \
-       socket-raw \
        sql \
        sqlite \
        stroke \
        test-vectors \
+       unity \
        uci \
        updown \
        whitelist \
        x509 \
        xauth-eap \
        xauth-generic \
-       xcbc \
+       xcbc
 
 PKG_CONFIG_DEPENDS:= \
        CONFIG_STRONGSWAN_DEVICE_RANDOM \
@@ -150,6 +152,7 @@ $(call Package/strongswan/Default)
        +strongswan-mod-eap-identity \
        +strongswan-mod-eap-md5 \
        +strongswan-mod-eap-mschapv2 \
+       +strongswan-mod-eap-radius \
        +strongswan-mod-farp \
        +strongswan-mod-fips-prf \
        +strongswan-mod-gcm \
@@ -185,6 +188,7 @@ $(call Package/strongswan/Default)
        +strongswan-mod-stroke \
        +strongswan-mod-test-vectors \
        +strongswan-mod-uci \
+       +strongswan-mod-unity \
        +strongswan-mod-updown \
        +strongswan-mod-whitelist \
        +strongswan-mod-x509 \
@@ -198,8 +202,9 @@ endef
 define Package/strongswan-full/description
 $(call Package/strongswan/description/Default)
  This meta-package contains dependencies for all of the strongswan plugins
- except kernel-klips, kernel-pfkey, socket-dynamic and socket-raw which are
- ommitted in favor of the kernel-netlink and socket-default plugins.
+ except kernel-klips, kernel-libipsec, kernel-pfkey,
+ socket-dynamic and which are ommitted in favor of the kernel-netlink and
+ socket-default plugins.
 endef
 
 
@@ -301,7 +306,7 @@ endef
 
 define Package/strongswan-utils/description
 $(call Package/strongswan/description/Default)
- This package contains the openac, pki & scepclient utilities.
+ This package contains the pki & scepclient utilities.
 endef
 
 define BuildPlugin
@@ -343,6 +348,7 @@ EXTRA_LDFLAGS+= -Wl,-rpath-link,$(STAGING_DIR)/usr/lib
 define Package/strongswan/conffiles
 /etc/ipsec.conf
 /etc/ipsec.secrets
+/etc/ipsec.user
 /etc/strongswan.conf
 endef
 
@@ -352,6 +358,8 @@ define Package/strongswan/install
        $(INSTALL_DIR) $(1)/usr/lib/ipsec
        $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/{libstrongswan.so.*,libhydra.so.*} $(1)/usr/lib/ipsec/
        $(INSTALL_CONF) ./files/ipsec.secrets $(1)/etc/
+       $(INSTALL_DIR) $(1)/etc/init.d
+       $(INSTALL_BIN) ./files/ipsec.init $(1)/etc/init.d/ipsec
 endef
 
 define Package/strongswan-default/install
@@ -380,8 +388,10 @@ endef
 define Package/strongswan-utils/install
        $(INSTALL_DIR) $(1)/usr/sbin
        $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/ipsec $(1)/usr/sbin/
+       $(INSTALL_DIR) $(1)/usr/bin
+       $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/pki $(1)/usr/bin/
        $(INSTALL_DIR) $(1)/usr/lib/ipsec
-       $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/ipsec/{openac,pki,scepclient} $(1)/usr/lib/ipsec/
+       $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/ipsec/scepclient $(1)/usr/lib/ipsec/
 endef
 
 define Plugin/duplicheck/install
@@ -390,6 +400,12 @@ define Plugin/duplicheck/install
        $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/plugins/libstrongswan-duplicheck.so $(1)/usr/lib/ipsec/plugins/
 endef
 
+define Plugin/eap-radius/install
+       $(INSTALL_DIR) $(1)/usr/lib/ipsec/plugins
+       $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/libradius.so.* $(1)/usr/lib/ipsec/
+       $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/plugins/libstrongswan-eap-radius.so $(1)/usr/lib/ipsec/plugins/
+endef
+
 define Plugin/attr-sql/install
        $(INSTALL_DIR) $(1)/usr/lib/ipsec
        $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/pool $(1)/usr/lib/ipsec/
@@ -416,6 +432,8 @@ define Plugin/updown/install
        $(INSTALL_DIR) $(1)/usr/lib/ipsec/plugins
        $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/{_updown,_updown_espmark} $(1)/usr/lib/ipsec/
        $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/plugins/libstrongswan-updown.so $(1)/usr/lib/ipsec/plugins/
+       $(INSTALL_DIR) $(1)/etc
+       $(INSTALL_CONF) ./files/ipsec.user $(1)/etc/
 endef
 
 define Plugin/whitelist/install
@@ -424,6 +442,11 @@ define Plugin/whitelist/install
        $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/plugins/libstrongswan-whitelist.so $(1)/usr/lib/ipsec/plugins/
 endef
 
+define Plugin/kernel-libipsec/install
+       $(INSTALL_DIR) $(1)/usr/lib/ipsec
+       $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/libipsec.so.* $(1)/usr/lib/ipsec/
+endef
+
 $(eval $(call BuildPackage,strongswan))
 $(eval $(call BuildPackage,strongswan-default))
 $(eval $(call BuildPackage,strongswan-full))
@@ -450,7 +473,8 @@ $(eval $(call BuildPlugin,dnskey,DNS RR key decoding,))
 $(eval $(call BuildPlugin,duplicheck,advanced duplicate checking,))
 $(eval $(call BuildPlugin,eap-identity,EAP identity helper,))
 $(eval $(call BuildPlugin,eap-md5,EAP MD5 (CHAP) EAP auth,))
-$(eval $(call BuildPlugin,eap-mschapv2,EAP MS-CHAPv2 EAP auth,))
+$(eval $(call BuildPlugin,eap-mschapv2,EAP MS-CHAPv2 EAP auth,+strongswan-mod-md4 +strongswan-mod-des))
+$(eval $(call BuildPlugin,eap-radius,EAP RADIUS auth,))
 $(eval $(call BuildPlugin,farp,fake arp respsonses,))
 $(eval $(call BuildPlugin,fips-prf,FIPS PRF crypto,+strongswan-mod-sha1))
 $(eval $(call BuildPlugin,gcm,GCM AEAD wrapper crypto,))
@@ -459,6 +483,7 @@ $(eval $(call BuildPlugin,gmp,libgmp,+PACKAGE_strongswan-mod-gmp:libgmp))
 $(eval $(call BuildPlugin,ha,high availability cluster,))
 $(eval $(call BuildPlugin,hmac,HMAC crypto,))
 $(eval $(call BuildPlugin,kernel-klips,KLIPS kernel interface,))
+$(eval $(call BuildPlugin,kernel-libipsec,libipsec kernel interface,))
 $(eval $(call BuildPlugin,kernel-netlink,netlink kernel interface,))
 $(eval $(call BuildPlugin,kernel-pfkey,PK_KEY kernel interface,))
 $(eval $(call BuildPlugin,ldap,LDAP,+PACKAGE_strongswan-mod-ldap:libopenldap))
@@ -484,12 +509,12 @@ $(eval $(call BuildPlugin,sha2,SHA2 crypto,))
 $(eval $(call BuildPlugin,smp,SMP configuration and control interface,+PACKAGE_strongswan-mod-smp:libxml2))
 $(eval $(call BuildPlugin,socket-default,default socket implementation for charon,))
 $(eval $(call BuildPlugin,socket-dynamic,dynamic socket implementation for charon,))
-$(eval $(call BuildPlugin,socket-raw,raw socket implementation for charon,))
 $(eval $(call BuildPlugin,sql,SQL database interface,))
 $(eval $(call BuildPlugin,sqlite,SQLite database interface,+strongswan-mod-sql +PACKAGE_strongswan-mod-sqlite:libsqlite3))
 $(eval $(call BuildPlugin,stroke,Stroke,+strongswan-utils))
 $(eval $(call BuildPlugin,test-vectors,crypto test vectors,))
 $(eval $(call BuildPlugin,uci,UCI config interface,+PACKAGE_strongswan-mod-uci:libuci))
+$(eval $(call BuildPlugin,unity,Cisco Unity extension,))
 $(eval $(call BuildPlugin,updown,updown firewall,))
 $(eval $(call BuildPlugin,whitelist,peer identity whitelisting,))
 $(eval $(call BuildPlugin,x509,x509 certificate,))
diff --git a/net/strongswan/files/ipsec.init b/net/strongswan/files/ipsec.init
new file mode 100644 (file)
index 0000000..391a2ae
--- /dev/null
@@ -0,0 +1,20 @@
+#!/bin/sh /etc/rc.common
+
+START=90
+STOP=10
+
+start() {
+       ipsec start
+}
+
+stop() {
+       ipsec stop
+}
+
+restart() {
+       ipsec restart
+}
+
+reload() {
+       ipsec update
+}
diff --git a/net/strongswan/files/ipsec.user b/net/strongswan/files/ipsec.user
new file mode 100644 (file)
index 0000000..4351ace
--- /dev/null
@@ -0,0 +1,6 @@
+# This file is interpreted as shell script.
+# Put your custom ip rules here, they will
+# be executed with each call to the script
+# /usr/lib/ipsec/_updown which by default
+# strongswan executes.
+
diff --git a/net/strongswan/patches/100-method_name_fix.patch b/net/strongswan/patches/100-method_name_fix.patch
new file mode 100644 (file)
index 0000000..477f399
--- /dev/null
@@ -0,0 +1,40 @@
+--- a/src/libipsec/ip_packet.c
++++ b/src/libipsec/ip_packet.c
+@@ -95,7 +95,7 @@ METHOD(ip_packet_t, get_next_header, u_i
+       return this->next_header;
+ }
+-METHOD(ip_packet_t, clone, ip_packet_t*,
++METHOD(ip_packet_t, clone_, ip_packet_t*,
+       private_ip_packet_t *this)
+ {
+       return ip_packet_create(chunk_clone(this->packet));
+@@ -183,7 +183,7 @@ ip_packet_t *ip_packet_create(chunk_t pa
+                       .get_destination = _get_destination,
+                       .get_next_header = _get_next_header,
+                       .get_encoding = _get_encoding,
+-                      .clone = _clone,
++                      .clone = _clone_,
+                       .destroy = _destroy,
+               },
+               .src = src,
+--- a/src/libipsec/esp_packet.c
++++ b/src/libipsec/esp_packet.c
+@@ -115,7 +115,7 @@ METHOD(packet_t, skip_bytes, void,
+       return this->packet->skip_bytes(this->packet, bytes);
+ }
+-METHOD(packet_t, clone, packet_t*,
++METHOD(packet_t, clone_, packet_t*,
+       private_esp_packet_t *this)
+ {
+       private_esp_packet_t *pkt;
+@@ -414,7 +414,7 @@ static private_esp_packet_t *esp_packet_
+                               .get_dscp = _get_dscp,
+                               .set_dscp = _set_dscp,
+                               .skip_bytes = _skip_bytes,
+-                              .clone = _clone,
++                              .clone = _clone_,
+                               .destroy = _destroy,
+                       },
+                       .get_source = _get_source,
diff --git a/net/strongswan/patches/201-kmodloader.patch b/net/strongswan/patches/201-kmodloader.patch
new file mode 100644 (file)
index 0000000..7d46156
--- /dev/null
@@ -0,0 +1,28 @@
+--- a/src/starter/netkey.c
++++ b/src/starter/netkey.c
+@@ -31,7 +31,7 @@ bool starter_netkey_init(void)
+               /* af_key module makes the netkey proc interface visible */
+               if (stat(PROC_MODULES, &stb) == 0)
+               {
+-                      ignore_result(system("modprobe -qv af_key"));
++                      ignore_result(system("modprobe af_key 2>&1 >/dev/null"));
+               }
+               /* now test again */
+@@ -45,11 +45,11 @@ bool starter_netkey_init(void)
+       /* make sure that all required IPsec modules are loaded */
+       if (stat(PROC_MODULES, &stb) == 0)
+       {
+-              ignore_result(system("modprobe -qv ah4"));
+-              ignore_result(system("modprobe -qv esp4"));
+-              ignore_result(system("modprobe -qv ipcomp"));
+-              ignore_result(system("modprobe -qv xfrm4_tunnel"));
+-              ignore_result(system("modprobe -qv xfrm_user"));
++              ignore_result(system("modprobe ah4 2>&1 >/dev/null"));
++              ignore_result(system("modprobe esp4 2>&1 >/dev/null"));
++              ignore_result(system("modprobe ipcomp 2>&1 >/dev/null"));
++              ignore_result(system("modprobe xfrm4_tunnel 2>&1 >/dev/null"));
++              ignore_result(system("modprobe xfrm_user 2>&1 >/dev/null"));
+       }
+       DBG2(DBG_APP, "found netkey IPsec stack");
diff --git a/net/strongswan/patches/201-no-modprobe.patch b/net/strongswan/patches/201-no-modprobe.patch
deleted file mode 100644 (file)
index 5dee45e..0000000
+++ /dev/null
@@ -1,28 +0,0 @@
---- a/src/starter/netkey.c
-+++ b/src/starter/netkey.c
-@@ -31,7 +31,7 @@ bool starter_netkey_init(void)
-               /* af_key module makes the netkey proc interface visible */
-               if (stat(PROC_MODULES, &stb) == 0)
-               {
--                      ignore_result(system("modprobe -qv af_key"));
-+                      ignore_result(system("insmod -qv af_key"));
-               }
-               /* now test again */
-@@ -45,11 +45,11 @@ bool starter_netkey_init(void)
-       /* make sure that all required IPsec modules are loaded */
-       if (stat(PROC_MODULES, &stb) == 0)
-       {
--              ignore_result(system("modprobe -qv ah4"));
--              ignore_result(system("modprobe -qv esp4"));
--              ignore_result(system("modprobe -qv ipcomp"));
--              ignore_result(system("modprobe -qv xfrm4_tunnel"));
--              ignore_result(system("modprobe -qv xfrm_user"));
-+              ignore_result(system("insmod -qv ah4"));
-+              ignore_result(system("insmod -qv esp4"));
-+              ignore_result(system("insmod -qv ipcomp"));
-+              ignore_result(system("insmod -qv xfrm4_tunnel"));
-+              ignore_result(system("insmod -qv xfrm_user"));
-       }
-       DBG2(DBG_APP, "found netkey IPsec stack");
diff --git a/net/strongswan/patches/300-include-ipsec-user-script.patch b/net/strongswan/patches/300-include-ipsec-user-script.patch
new file mode 100644 (file)
index 0000000..d96e844
--- /dev/null
@@ -0,0 +1,17 @@
+--- a/src/_updown/_updown.in
++++ b/src/_updown/_updown.in
+@@ -16,11 +16,9 @@
+ # or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ # for more details.
+-# CAUTION:  Installing a new version of strongSwan will install a new
+-# copy of this script, wiping out any custom changes you make.  If
+-# you need changes, make a copy of this under another name, and customize
+-# that, and use the (left/right)updown parameters in ipsec.conf to make
+-# strongSwan use yours instead of this default one.
++# Add your custom ip rules to the /etc/ipsec.user file if you need that functionality.
++
++[ -e /etc/ipsec.user ] && . /etc/ipsec.user "$1"
+ # things that this script gets (from ipsec_pluto(8) man page)
+ #