webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-16 14:03:00 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge commit 'origin/master' into core58

Browse Source
This commit is contained in:
Arne Fitzenreiter
2012-04-07 11:42:17 +02:00
parent a5bc82a447 5cbbd5f1ed
commit 6325b06b17
39 changed files with 2612 additions and 421 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
config/rootfiles/common/libpng
View File

@@ -9,12 +9,12 @@
#usr/lib/libpng.la
usr/lib/libpng.so
usr/lib/libpng.so.3
usr/lib/libpng.so.3.44.0
usr/lib/libpng.so.3.46.0
#usr/lib/libpng12.a
#usr/lib/libpng12.la
usr/lib/libpng12.so
usr/lib/libpng12.so.0
usr/lib/libpng12.so.0.44.0
usr/lib/libpng12.so.0.46.0
#usr/lib/pkgconfig/libpng.pc
#usr/lib/pkgconfig/libpng12.pc
#usr/share/man/man3/libpng.3

6
config/rootfiles/common/openvpn
View File

@@ -1,5 +1,6 @@
lib/openvpn-auth-pam.so
lib/openvpn-down-root.so
usr/lib/openvpn
usr/lib/openvpn/openvpn-auth-pam.so
usr/lib/openvpn/openvpn-down-root.so
usr/sbin/openvpn
#usr/share/doc/openvpn
#usr/share/doc/openvpn/management-notes.txt
@@ -16,5 +17,6 @@ var/ipfire/ovpn/n2nconf
var/ipfire/ovpn/openssl/ovpn.cnf
var/ipfire/ovpn/ovpn-leases.db
var/ipfire/ovpn/ovpnconfig
var/ipfire/ovpn/scripts
var/ipfire/ovpn/settings
var/ipfire/ovpn/verify

21
config/rootfiles/common/strongswan
View File

@@ -10,6 +10,7 @@ etc/ipsec.d/private
etc/ipsec.d/reqs
etc/ipsec.secrets
etc/strongswan.conf
#usr/lib/ipsec
#usr/lib/ipsec/libcharon.a
#usr/lib/ipsec/libcharon.la
usr/lib/ipsec/libcharon.so
@@ -25,15 +26,6 @@ usr/lib/ipsec/libhydra.so.0.0.0
usr/lib/ipsec/libstrongswan.so
usr/lib/ipsec/libstrongswan.so.0
usr/lib/ipsec/libstrongswan.so.0.0.0
#usr/libexec/ipsec
usr/libexec/ipsec/_copyright
usr/libexec/ipsec/_pluto_adns
usr/libexec/ipsec/_updown
usr/libexec/ipsec/_updown_espmark
usr/libexec/ipsec/charon
usr/libexec/ipsec/openac
usr/libexec/ipsec/pki
#usr/lib/ipsec
#usr/lib/ipsec/plugins
#usr/lib/ipsec/plugins/libstrongswan-aes.a
#usr/lib/ipsec/plugins/libstrongswan-aes.la
@@ -77,6 +69,9 @@ usr/lib/ipsec/plugins/libstrongswan-pgp.so
#usr/lib/ipsec/plugins/libstrongswan-pkcs1.a
#usr/lib/ipsec/plugins/libstrongswan-pkcs1.la
usr/lib/ipsec/plugins/libstrongswan-pkcs1.so
#usr/lib/ipsec/plugins/libstrongswan-pkcs8.a
#usr/lib/ipsec/plugins/libstrongswan-pkcs8.la
usr/lib/ipsec/plugins/libstrongswan-pkcs8.so
#usr/lib/ipsec/plugins/libstrongswan-pubkey.a
#usr/lib/ipsec/plugins/libstrongswan-pubkey.la
usr/lib/ipsec/plugins/libstrongswan-pubkey.so
@@ -113,6 +108,14 @@ usr/lib/ipsec/plugins/libstrongswan-xauth.so
#usr/lib/ipsec/plugins/libstrongswan-xcbc.a
#usr/lib/ipsec/plugins/libstrongswan-xcbc.la
usr/lib/ipsec/plugins/libstrongswan-xcbc.so
#usr/libexec/ipsec
usr/libexec/ipsec/_copyright
usr/libexec/ipsec/_pluto_adns
usr/libexec/ipsec/_updown
usr/libexec/ipsec/_updown_espmark
usr/libexec/ipsec/charon
usr/libexec/ipsec/openac
usr/libexec/ipsec/pki
usr/libexec/ipsec/pluto
usr/libexec/ipsec/scepclient
usr/libexec/ipsec/starter

2
config/rootfiles/common/usb_modeswitch
View File

@@ -1,5 +1,5 @@
etc/usb_modeswitch.conf
#lib/udev/usb_modeswitch
lib/udev/usb_modeswitch
usr/sbin/usb_modeswitch
usr/sbin/usb_modeswitch_dispatcher
#usr/share/man/man1/usb_modeswitch.1

12
config/rootfiles/core/58/exclude Normal file
View File

@@ -0,0 +1,12 @@
srv/web/ipfire/html/proxy.pac
etc/udev/rules.d/30-persistent-network.rules
etc/ipsec.conf
etc/ipsec.secrets
etc/ipsec.user.conf
etc/ipsec.user.secrets
var/updatecache
etc/localtime
var/ipfire/ovpn
etc/ssh/ssh_config
etc/ssh/sshd_config
etc/ssl/openssl.cnf

1
config/rootfiles/core/58/filelists/GeoIP Normal file
View File

@@ -0,0 +1 @@
usr/local/share/GeoIP/GeoIP.dat

2
config/rootfiles/core/58/filelists/armv5tel/cryptodev Normal file
View File

@@ -0,0 +1,2 @@
lib/modules/2.6.32.45-ipfire-versatile/extra/cryptodev.ko
lib/modules/2.6.32.45-ipfire-kirkwood/extra/cryptodev.ko

3
config/rootfiles/core/58/filelists/files Normal file
View File

@@ -0,0 +1,3 @@
etc/system-release
etc/issue
etc/vimrc

1
config/rootfiles/core/58/filelists/fireinfo Symbolic link
View File

@@ -0,0 +1 @@
../../../common/fireinfo

2
config/rootfiles/core/58/filelists/hwdata Normal file
View File

@@ -0,0 +1,2 @@
usr/share/hwdata/pci.ids
usr/share/hwdata/usb.ids

3
config/rootfiles/core/58/filelists/i586/cryptodev Normal file
View File

@@ -0,0 +1,3 @@
lib/modules/2.6.32.45-ipfire/extra/cryptodev.ko
lib/modules/2.6.32.45-ipfire-pae/extra/cryptodev.ko
lib/modules/2.6.32.45-ipfire-xen/extra/cryptodev.ko

1
config/rootfiles/core/58/filelists/libpng Symbolic link
View File

@@ -0,0 +1 @@
../../../common/libpng

1
config/rootfiles/core/58/filelists/openssh Symbolic link
View File

@@ -0,0 +1 @@
../../../common/openssh

1
config/rootfiles/core/58/filelists/openssl Symbolic link
View File

@@ -0,0 +1 @@
../../../common/openssl

1
config/rootfiles/core/58/filelists/openvpn Symbolic link
View File

@@ -0,0 +1 @@
../../../common/openvpn

1
config/rootfiles/core/58/filelists/strongswan Symbolic link
View File

@@ -0,0 +1 @@
../../../common/strongswan

1
config/rootfiles/core/58/filelists/usb_modeswitch Symbolic link
View File

@@ -0,0 +1 @@
../../../common/usb_modeswitch

1
config/rootfiles/core/58/meta Normal file
View File

@@ -0,0 +1 @@
DEPS=""

84
config/rootfiles/core/58/update.sh Normal file
View File

@@ -0,0 +1,84 @@
#!/bin/bash
############################################################################
# #
# This file is part of the IPFire Firewall. #
# #
# IPFire is free software; you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; either version 3 of the License, or #
# (at your option) any later version. #
# #
# IPFire is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with IPFire; if not, write to the Free Software #
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
# #
# Copyright (C) 2012 IPFire-Team <info@ipfire.org>. #
# #
############################################################################
#
. /opt/pakfire/lib/functions.sh
/usr/local/bin/backupctrl exclude >/dev/null 2>&1
#
# Remove old core updates from pakfire cache to save space...
core=58
for (( i=1; i<=$core; i++ ))
do
rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire
done
#
#Stop services
/etc/init.d/ipsec stop
#
#Extract files
extract_files
#
#Start services
if [ `grep "ENABLED=on" /var/ipfire/vpn/settings` ]; then
/etc/init.d/ipsec start
fi
#
#Update Language cache
perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang"
#Rebuild module dep's
arch=`uname -m`
if [ ${arch::3} == "arm" ]; then
depmod -a 2.6.32.45-ipfire-versatile >/dev/null 2>&1
depmod -a 2.6.32.45-ipfire-kirkwood >/dev/null 2>&1
else
depmod -a 2.6.32.45-ipfire >/dev/null 2>&1
depmod -a 2.6.32.45-ipfire-pae >/dev/null 2>&1
depmod -a 2.6.32.45-ipfire-xen >/dev/null 2>&1
fi
#Rebuild initrd's because some compat-wireless modules are inside
#/sbin/dracut --force --verbose /boot/ipfirerd-2.6.32.45.img 2.6.32.45-ipfire
#if [ -e /boot/ipfirerd-2.6.32.45-pae.img ]; then
#/sbin/dracut --force --verbose /boot/ipfirerd-2.6.32.45-pae.img 2.6.32.45-ipfire-pae
#fi
#if [ -e /boot/ipfirerd-2.6.32.45-xen.img ]; then
#/sbin/dracut --force --verbose /boot/ipfirerd-2.6.32.45-xen.img 2.6.32.45-ipfire-xen
#fi
sync
# This update need a reboot...
touch /var/run/need_reboot
#
#Finish
/etc/init.d/fireinfo start
sendprofile
#Don't report the exitcode last command
exit 0

6
config/rootfiles/packages/clamav
View File

@@ -10,15 +10,15 @@ usr/bin/sigtool
#usr/lib/libclamav.la
usr/lib/libclamav.so
usr/lib/libclamav.so.6
usr/lib/libclamav.so.6.1.12
usr/lib/libclamav.so.6.1.13
#usr/lib/libclamunrar.la
usr/lib/libclamunrar.so
usr/lib/libclamunrar.so.6
usr/lib/libclamunrar.so.6.1.12
usr/lib/libclamunrar.so.6.1.13
#usr/lib/libclamunrar_iface.la
usr/lib/libclamunrar_iface.so
usr/lib/libclamunrar_iface.so.6
usr/lib/libclamunrar_iface.so.6.1.12
usr/lib/libclamunrar_iface.so.6.1.13
#usr/lib/pkgconfig/libclamav.pc
usr/sbin/clamd
usr/share/clamav

79
config/rootfiles/packages/git
View File

@@ -6,10 +6,32 @@ usr/bin/git-upload-archive
usr/bin/git-upload-pack
#usr/bin/gitk
usr/lib/perl5/site_perl/5.12.3/Error.pm
usr/lib/perl5/site_perl/5.12.3/Git
usr/lib/perl5/site_perl/5.12.3/Git.pm
#usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/auto/Git
#usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/auto/Git/.packlist
usr/lib/perl5/site_perl/5.12.3/Git/I18N.pm
#usr/lib/perl5/site_perl/5.12.3/i586-linux-thread-multi/auto/Git
#usr/lib/perl5/site_perl/5.12.3/i586-linux-thread-multi/auto/Git/.packlist
usr/lib/python2.7/site-packages/git_remote_helpers
#usr/lib/python2.7/site-packages/git_remote_helpers-0.1.0-py2.7.egg-info
usr/lib/python2.7/site-packages/git_remote_helpers/__init__.py
usr/lib/python2.7/site-packages/git_remote_helpers/__init__.pyc
usr/lib/python2.7/site-packages/git_remote_helpers/git
usr/lib/python2.7/site-packages/git_remote_helpers/git/__init__.py
usr/lib/python2.7/site-packages/git_remote_helpers/git/__init__.pyc
usr/lib/python2.7/site-packages/git_remote_helpers/git/exporter.py
usr/lib/python2.7/site-packages/git_remote_helpers/git/exporter.pyc
usr/lib/python2.7/site-packages/git_remote_helpers/git/git.py
usr/lib/python2.7/site-packages/git_remote_helpers/git/git.pyc
usr/lib/python2.7/site-packages/git_remote_helpers/git/importer.py
usr/lib/python2.7/site-packages/git_remote_helpers/git/importer.pyc
usr/lib/python2.7/site-packages/git_remote_helpers/git/non_local.py
usr/lib/python2.7/site-packages/git_remote_helpers/git/non_local.pyc
usr/lib/python2.7/site-packages/git_remote_helpers/git/repo.py
usr/lib/python2.7/site-packages/git_remote_helpers/git/repo.pyc
usr/lib/python2.7/site-packages/git_remote_helpers/util.py
usr/lib/python2.7/site-packages/git_remote_helpers/util.pyc
usr/libexec/git-core
usr/libexec/git-core/git
usr/libexec/git-core/git-add
usr/libexec/git-core/git-add--interactive
usr/libexec/git-core/git-am
@@ -36,6 +58,9 @@ usr/libexec/git-core/git-commit
usr/libexec/git-core/git-commit-tree
usr/libexec/git-core/git-config
usr/libexec/git-core/git-count-objects
usr/libexec/git-core/git-credential-cache
usr/libexec/git-core/git-credential-cache--daemon
usr/libexec/git-core/git-credential-store
usr/libexec/git-core/git-cvsexportcommit
usr/libexec/git-core/git-cvsimport
usr/libexec/git-core/git-cvsserver
@@ -50,7 +75,6 @@ usr/libexec/git-core/git-difftool--helper
usr/libexec/git-core/git-fast-export
usr/libexec/git-core/git-fast-import
usr/libexec/git-core/git-fetch
usr/libexec/git-core/git-fetch--tool
usr/libexec/git-core/git-fetch-pack
usr/libexec/git-core/git-filter-branch
usr/libexec/git-core/git-fmt-merge-msg
@@ -65,6 +89,7 @@ usr/libexec/git-core/git-gui
usr/libexec/git-core/git-gui--askpass
usr/libexec/git-core/git-hash-object
usr/libexec/git-core/git-help
usr/libexec/git-core/git-http-backend
usr/libexec/git-core/git-http-fetch
usr/libexec/git-core/git-http-push
usr/libexec/git-core/git-imap-send
@@ -96,6 +121,7 @@ usr/libexec/git-core/git-mktag
usr/libexec/git-core/git-mktree
usr/libexec/git-core/git-mv
usr/libexec/git-core/git-name-rev
usr/libexec/git-core/git-notes
usr/libexec/git-core/git-pack-objects
usr/libexec/git-core/git-pack-redundant
usr/libexec/git-core/git-pack-refs
@@ -109,12 +135,22 @@ usr/libexec/git-core/git-push
usr/libexec/git-core/git-quiltimport
usr/libexec/git-core/git-read-tree
usr/libexec/git-core/git-rebase
usr/libexec/git-core/git-rebase--am
usr/libexec/git-core/git-rebase--interactive
usr/libexec/git-core/git-rebase--merge
usr/libexec/git-core/git-receive-pack
usr/libexec/git-core/git-reflog
usr/libexec/git-core/git-relink
usr/libexec/git-core/git-remote
usr/libexec/git-core/git-remote-ext
usr/libexec/git-core/git-remote-fd
usr/libexec/git-core/git-remote-ftp
usr/libexec/git-core/git-remote-ftps
usr/libexec/git-core/git-remote-http
usr/libexec/git-core/git-remote-https
usr/libexec/git-core/git-remote-testgit
usr/libexec/git-core/git-repack
usr/libexec/git-core/git-replace
usr/libexec/git-core/git-repo-config
usr/libexec/git-core/git-request-pull
usr/libexec/git-core/git-rerere
@@ -125,6 +161,8 @@ usr/libexec/git-core/git-revert
usr/libexec/git-core/git-rm
usr/libexec/git-core/git-send-email
usr/libexec/git-core/git-send-pack
usr/libexec/git-core/git-sh-i18n
usr/libexec/git-core/git-sh-i18n--envsubst
usr/libexec/git-core/git-sh-setup
usr/libexec/git-core/git-shell
usr/libexec/git-core/git-shortlog
@@ -154,6 +192,22 @@ usr/libexec/git-core/git-verify-tag
usr/libexec/git-core/git-web--browse
usr/libexec/git-core/git-whatchanged
usr/libexec/git-core/git-write-tree
usr/libexec/git-core/mergetools
usr/libexec/git-core/mergetools/araxis
usr/libexec/git-core/mergetools/bc3
usr/libexec/git-core/mergetools/defaults
usr/libexec/git-core/mergetools/diffuse
usr/libexec/git-core/mergetools/ecmerge
usr/libexec/git-core/mergetools/emerge
usr/libexec/git-core/mergetools/kdiff3
usr/libexec/git-core/mergetools/kompare
usr/libexec/git-core/mergetools/meld
usr/libexec/git-core/mergetools/opendiff
usr/libexec/git-core/mergetools/p4merge
usr/libexec/git-core/mergetools/tkdiff
usr/libexec/git-core/mergetools/tortoisemerge
usr/libexec/git-core/mergetools/vim
usr/libexec/git-core/mergetools/xxdiff
usr/share/git-core
usr/share/git-core/templates
usr/share/git-core/templates/branches
@@ -161,8 +215,6 @@ usr/share/git-core/templates/description
usr/share/git-core/templates/hooks
usr/share/git-core/templates/hooks/applypatch-msg.sample
usr/share/git-core/templates/hooks/commit-msg.sample
usr/share/git-core/templates/hooks/post-commit.sample
usr/share/git-core/templates/hooks/post-receive.sample
usr/share/git-core/templates/hooks/post-update.sample
usr/share/git-core/templates/hooks/pre-applypatch.sample
usr/share/git-core/templates/hooks/pre-commit.sample
@@ -195,16 +247,19 @@ usr/share/git-core/templates/info/exclude
#usr/share/git-gui/lib/error.tcl
#usr/share/git-gui/lib/git-gui.ico
#usr/share/git-gui/lib/index.tcl
#usr/share/git-gui/lib/line.tcl
#usr/share/git-gui/lib/logo.tcl
#usr/share/git-gui/lib/merge.tcl
#usr/share/git-gui/lib/mergetool.tcl
#usr/share/git-gui/lib/msgs
#usr/share/git-gui/lib/msgs/de.msg
#usr/share/git-gui/lib/msgs/el.msg
#usr/share/git-gui/lib/msgs/fr.msg
#usr/share/git-gui/lib/msgs/hu.msg
#usr/share/git-gui/lib/msgs/it.msg
#usr/share/git-gui/lib/msgs/ja.msg
#usr/share/git-gui/lib/msgs/nb.msg
#usr/share/git-gui/lib/msgs/pt_br.msg
#usr/share/git-gui/lib/msgs/ru.msg
#usr/share/git-gui/lib/msgs/sv.msg
#usr/share/git-gui/lib/msgs/zh_cn.msg
@@ -218,6 +273,7 @@ usr/share/git-core/templates/info/exclude
#usr/share/git-gui/lib/sshkey.tcl
#usr/share/git-gui/lib/status_bar.tcl
#usr/share/git-gui/lib/tclIndex
#usr/share/git-gui/lib/themed.tcl
#usr/share/git-gui/lib/tools.tcl
#usr/share/git-gui/lib/tools_dlg.tcl
#usr/share/git-gui/lib/transport.tcl
@@ -228,8 +284,21 @@ usr/share/git-core/templates/info/exclude
#usr/share/gitk/lib/msgs
#usr/share/gitk/lib/msgs/de.msg
#usr/share/gitk/lib/msgs/es.msg
#usr/share/gitk/lib/msgs/fr.msg
#usr/share/gitk/lib/msgs/hu.msg
#usr/share/gitk/lib/msgs/it.msg
#usr/share/gitk/lib/msgs/ja.msg
#usr/share/gitk/lib/msgs/pt_br.msg
#usr/share/gitk/lib/msgs/ru.msg
#usr/share/gitk/lib/msgs/sv.msg
#usr/share/gitweb
#usr/share/gitweb/gitweb.cgi
#usr/share/gitweb/static
#usr/share/gitweb/static/git-favicon.png
#usr/share/gitweb/static/git-logo.png
#usr/share/gitweb/static/gitweb.css
#usr/share/gitweb/static/gitweb.js
#usr/share/locale/is/LC_MESSAGES/git.mo
#usr/share/man/man3/Git.3
#usr/share/man/man3/Git::I18N.3
#usr/share/man/man3/private-Error.3

4
lfs/GeoIP
View File

@@ -25,7 +25,7 @@
include Config
VER = 1.17
DATVER = 06122011
DATVER = 03032012
THISAPP = Geo-IP-PurePerl-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -43,7 +43,7 @@ $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
GeoIP.dat-$(DATVER).gz = $(DL_FROM)/GeoIP.dat-$(DATVER).gz
$(DL_FILE)_MD5 = 42a6b9d4dd2563a20c8998556216e1de
GeoIP.dat-$(DATVER).gz_MD5 = 78baa14e4e271f5fb9f75e5ff1169950
GeoIP.dat-$(DATVER).gz_MD5 = 98ba2a5c177cdfa8da6f9fab524e948d
install : $(TARGET)

6
lfs/clamav
View File

@@ -24,7 +24,7 @@
include Config
VER = 0.97.3
VER = 0.97.4
THISAPP = clamav-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = clamav
PAK_VER = 18
PAK_VER = 19
DEPS = ""
@@ -44,7 +44,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = 5cf25ed7778fa0cb6b140ad8f009befb
$(DL_FILE)_MD5 = dc1e5abc093b11f120e4eac94a7f78aa
install : $(TARGET)

12
lfs/cryptodev
View File

@@ -26,10 +26,10 @@ include Config
VERSUFIX=ipfire$(KCFG)
VER = 20091126
VER = 1.4
THISAPP = cryptodev-$(VER)
DL_FILE = $(THISAPP).tar.bz2
THISAPP = cryptodev-linux-$(VER)
DL_FILE = $(THISAPP).tar.gz
DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)-kmod-$(KVER)-$(VERSUFIX)
@@ -42,7 +42,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = 26ffa32ef75bea7e980ab66166616e95
$(DL_FILE)_MD5 = 7b0ac1c0a88d8fbe7316db02f21666e6
install : $(TARGET)
@@ -74,13 +74,13 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && make build \
KERNEL_DIR=/lib/modules/$(KVER)-$(VERSUFIX)/build
-mkdir -pv /usr/include/crypto
cd $(DIR_APP) && make install \
KERNEL_DIR=/lib/modules/$(KVER)-$(VERSUFIX)/build
ln -svf ../crypto/cryptodev.h /usr/include/linux/cryptodev.h
# ln -svf ../crypto/cryptodev.h /usr/include/linux/cryptodev.h
@rm -rf $(DIR_APP)
@$(POSTBUILD)

4
lfs/fireinfo
View File

@@ -24,7 +24,7 @@
include Config
VER = 2.1.3
VER = 2.1.4
THISAPP = fireinfo-v$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = 8c977d1b8b0743ea0d244d1d8f86598a
$(DL_FILE)_MD5 = 4a5a027fadb7f81bda1224608a76c944
install : $(TARGET)

10
lfs/git
View File

@@ -24,15 +24,15 @@
include Config
VER = 1.6.3.1
VER = 1.7.9.3
THISAPP = git-$(VER)
DL_FILE = $(THISAPP).tar.bz2
DL_FILE = $(THISAPP).tar.gz
DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = git
PAK_VER = 7
PAK_VER = 8
DEPS = ""
@@ -44,7 +44,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = c1f4aab741359c29f0fbf28563ac7387
$(DL_FILE)_MD5 = f93b976649216d731fd9f9befb90a58c
install : $(TARGET)
@@ -76,7 +76,7 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && ./configure --prefix=/usr
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install

8
lfs/libpng
View File

@@ -24,10 +24,10 @@
include Config
VER = 1.2.44
VER = 1.2.46
THISAPP = libpng-$(VER)
DL_FILE = $(THISAPP).tar.xz
DL_FILE = $(THISAPP).tar.gz
DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = 098ab673ab74015978db98667febc4a9
$(DL_FILE)_MD5 = 03ddfc17ad321db93f984581e9415d22
install : $(TARGET)
@@ -69,7 +69,7 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar Jxf $(DIR_DL)/$(DL_FILE)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && ./configure --prefix=/usr
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install

11
lfs/openssl
View File

@@ -24,7 +24,7 @@
include Config
VER = 0.9.8t
VER = 0.9.8u
THISAPP = openssl-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = f5dabb7ffb068eecf245f1b2151df100
$(DL_FILE)_MD5 = cb41e94f762ed63e41d1cca2b8430ede
install : $(TARGET)
@@ -70,15 +70,12 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-0.9.8n-cryptodev.diff
ifeq "$(PADLOCK)" "1"
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-0.9.8g-engine-padlock.patch
endif
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-0.9.8u-cryptodev.patch
@rm -rf /etc/ssl
cd $(DIR_APP) && sed -i -e 's/mcpu/march/' config
cd $(DIR_APP) && sed -i -e 's/-O3/-O2/' -e 's/-march=i486/-march=i586/' Configure
cd $(DIR_APP) && ./Configure --openssldir=/etc/ssl --prefix=/usr shared linux-elf \
zlib-dynamic no-asm 386
zlib-dynamic no-asm 386 -DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGEST
cd $(DIR_APP) && make MANDIR=/usr/share/man
cd $(DIR_APP) && make MANDIR=/usr/share/man install
rm -rf /etc/ssl/lib

18
lfs/openvpn
View File

@@ -24,7 +24,7 @@
include Config
VER = 2.2.1
VER = 2.2.2
THISAPP = openvpn-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = 500bee5449b29906150569aaf2eb2730
$(DL_FILE)_MD5 = c5181e27b7945fa6276d21873329c5c7
install : $(TARGET)
@@ -70,20 +70,26 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && ./configure --prefix=/usr --sysconfdir=/var/ipfire/ovpn \
--enable-pthread
cd $(DIR_APP) && ./configure \
--prefix=/usr \
--sysconfdir=/var/ipfire/ovpn \
--enable-password-save \
--enable-pthread
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
cd $(DIR_APP) && cp -Rvf $(DIR_SRC)/config/ovpn /var/ipfire
-mkdir -pv /usr/lib/openvpn
cd $(DIR_APP)/plugin/auth-pam && make
cp -pvf $(DIR_APP)/plugin/auth-pam/openvpn-auth-pam.so /lib/
cp -pvf $(DIR_APP)/plugin/auth-pam/openvpn-auth-pam.so /usr/lib/openvpn
cd $(DIR_APP)/plugin/down-root && make
cp -pvf $(DIR_APP)/plugin/down-root/openvpn-down-root.so /lib/
cp -pvf $(DIR_APP)/plugin/down-root/openvpn-down-root.so /usr/lib/openvpn
-mkdir -vp /var/ipfire/ovpn/ca
-mkdir -vp /var/ipfire/ovpn/crls
-mkdir -vp /var/ipfire/ovpn/n2nconf
-mkdir -vp /var/ipfire/ovpn/scripts
touch /var/ipfire/ovpn/ovpn-leases.db
chmod 700 /var/ipfire/ovpn/ovpn-leases.db
chown -R root:root /var/ipfire/ovpn/scripts
chown -R nobody:nobody /var/ipfire/ovpn
chown root.nobody /var/log/ovpnserver.log
chmod 755 /var/ipfire/ovpn/verify

3
lfs/pound
View File

@@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = pound
PAK_VER = 3
PAK_VER = 4
DEPS = ""
@@ -78,6 +78,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && patch -p4 < $(DIR_SRC)/src/patches/pound-2.6.patch
cd $(DIR_APP) && patch -p1 < $(DIR_SRC)/src/patches/Pound-2.6-reneg-ciphers-altnames-nosslv2.patch
cd $(DIR_APP) && ./configure --prefix=/usr --sysconfdir=/etc --enable-cert1l
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install

6
lfs/samba
View File

@@ -24,7 +24,7 @@
include Config
VER = 3.5.12
VER = 3.5.13
THISAPP = samba-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = samba
PAK_VER = 37
PAK_VER = 38
DEPS = "cups"
@@ -44,7 +44,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = b1b8c6238a5524d001b8518d2b999993
$(DL_FILE)_MD5 = ceb91e31218e337ae8d47b35f03518ca
install : $(TARGET)

4
lfs/strongswan
View File

@@ -24,7 +24,7 @@
include Config
VER = 4.6.1
VER = 4.6.2
THISAPP = strongswan-$(VER)
DL_FILE = $(THISAPP).tar.bz2
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = 85a28a12ed6f286a5bc9117e3a9386bb
$(DL_FILE)_MD5 = ed64e6746011930a70f3a271dc0e3c9e
install : $(TARGET)

4
lfs/usb_modeswitch
View File

@@ -24,7 +24,7 @@
include Config
VER = 1.2.2
VER = 1.2.3
THISAPP = usb-modeswitch-$(VER)
DL_FILE = $(THISAPP).tar.bz2
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = 4f3d3b9342b59b488089a8a81abda3ae
$(DL_FILE)_MD5 = 9b29e8b0d93d7604a9e5efc4696d37a3
install : $(TARGET)

3
lfs/vim
View File

@@ -79,9 +79,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
ln -sv vim /usr/bin/vi
echo "set nocompatible" > /etc/vimrc
echo "set backspace=2" >> /etc/vimrc
echo "set ruler" >> /etc/vimrc
echo "syntax on" >> /etc/vimrc
echo -e "if (&term == \"iterm\") || (&term == \"putty\")" >> /etc/vimrc
echo "set background=dark" >> /etc/vimrc
echo " set background=dark" >> /etc/vimrc
echo "endif" >> /etc/vimrc
@rm -rf $(DIR_APP)
@$(POSTBUILD)

4
make.sh
View File

@@ -25,8 +25,8 @@
NAME="IPFire" # Software name
SNAME="ipfire" # Short name
VERSION="2.11" # Version number
CORE="57" # Core Level (Filename)
PAKFIRE_CORE="57" # Core Level (PAKFIRE)
CORE="58" # Core Level (Filename)
PAKFIRE_CORE="58" # Core Level (PAKFIRE)
GIT_BRANCH=`git status | head -n1 | cut -d" " -f4` # Git Branch
SLOGAN="www.ipfire.org" # Software slogan
CONFIG_ROOT=/var/ipfire # Configuration rootdir

1037
src/hwdata/pci.ids
View File

File diff suppressed because it is too large Load Diff

332
src/hwdata/usb.ids
View File

File diff suppressed because it is too large Load Diff

452
src/patches/Pound-2.6-reneg-ciphers-altnames-nosslv2.patch Normal file
View File

@@ -0,0 +1,452 @@
diff -Naur Pound-2.6.orig/config.c Pound-2.6.reneg-ciphers-altnames-nosslv2/config.c
--- Pound-2.6.orig/config.c 2011-12-28 14:57:45.000000000 +0100
+++ Pound-2.6.reneg-ciphers-altnames-nosslv2/config.c 2012-02-15 21:49:39.000000000 +0100
@@ -31,6 +31,8 @@
#include "pound.h"
+#include <openssl/x509v3.h>
+
#ifdef MISS_FACILITYNAMES
/* This is lifted verbatim from the Linux sys/syslog.h */
@@ -76,7 +78,7 @@
static regex_t Err414, Err500, Err501, Err503, MaxRequest, HeadRemove, RewriteLocation, RewriteDestination;
static regex_t Service, ServiceName, URL, HeadRequire, HeadDeny, BackEnd, Emergency, Priority, HAport, HAportAddr;
static regex_t Redirect, RedirectN, TimeOut, Session, Type, TTL, ID, DynScale;
-static regex_t ClientCert, AddHeader, Ciphers, CAlist, VerifyList, CRLlist, NoHTTPS11;
+static regex_t ClientCert, AddHeader, DisableSSLv2, SSLAllowClientRenegotiation, SSLHonorCipherOrder, Ciphers, CAlist, VerifyList, CRLlist, NoHTTPS11;
static regex_t Grace, Include, ConnTO, IgnoreCase, HTTPS, HTTPSCert, Disabled, Threads, CNName;
static regmatch_t matches[5];
@@ -167,6 +169,53 @@
}
}
+unsigned char **
+get_subjectaltnames(X509 *x509, unsigned int *count)
+{
+ *count = 0;
+ unsigned int local_count = 0;
+ unsigned char **result = NULL;
+
+ STACK_OF(GENERAL_NAME) *san_stack = (STACK_OF(GENERAL_NAME)*)X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL);
+
+ unsigned char *temp[sk_GENERAL_NAME_num(san_stack)];
+
+ GENERAL_NAME *name = NULL;
+ while(sk_GENERAL_NAME_num(san_stack) > 0)
+ {
+ name = sk_GENERAL_NAME_pop(san_stack);
+
+ switch(name->type)
+ {
+ case GEN_DNS:
+ temp[local_count] = strndup(ASN1_STRING_data(name->d.dNSName), ASN1_STRING_length(name->d.dNSName)+1);
+ if(temp[local_count] == NULL) { conf_err("out of memory"); }
+ local_count++;
+ break;
+ default:
+ logmsg(LOG_INFO, "unsupported subjectAltName type encountered: %i", name->type);
+ }
+
+ GENERAL_NAME_free(name);
+ }
+
+ result = (unsigned char**)malloc(sizeof(unsigned char*)*local_count);
+ if(result == NULL) { conf_err("out of memory"); }
+ int i;
+ for(i = 0;i < local_count; i++)
+ {
+ result[i] = strndup(temp[i], strlen(temp[i])+1);
+ if(result[i] == NULL) { conf_err("out of memory"); }
+
+ free(temp[i]);
+ }
+ *count = local_count;
+
+ sk_GENERAL_NAME_pop_free(san_stack, GENERAL_NAME_free);
+
+ return result;
+}
+
/*
* parse a back-end
*/
@@ -289,9 +338,12 @@
} else if(!regexec(&HTTPS, lin, 4, matches, 0)) {
if((res->ctx = SSL_CTX_new(SSLv23_client_method())) == NULL)
conf_err("SSL_CTX_new failed - aborted");
+ SSL_CTX_set_app_data(res->ctx, res);
SSL_CTX_set_verify(res->ctx, SSL_VERIFY_NONE, NULL);
SSL_CTX_set_mode(res->ctx, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_options(res->ctx, SSL_OP_ALL);
+ SSL_CTX_clear_options(res->ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+ SSL_CTX_clear_options(res->ctx, SSL_OP_LEGACY_SERVER_CONNECT);
sprintf(lin, "%d-Pound-%ld", getpid(), random());
SSL_CTX_set_session_id_context(res->ctx, (unsigned char *)lin, strlen(lin));
SSL_CTX_set_tmp_rsa_callback(res->ctx, RSA_tmp_callback);
@@ -299,6 +351,7 @@
} else if(!regexec(&HTTPSCert, lin, 4, matches, 0)) {
if((res->ctx = SSL_CTX_new(SSLv23_client_method())) == NULL)
conf_err("SSL_CTX_new failed - aborted");
+ SSL_CTX_set_app_data(res->ctx, res);
lin[matches[1].rm_eo] = '\0';
if(SSL_CTX_use_certificate_chain_file(res->ctx, lin + matches[1].rm_so) != 1)
conf_err("SSL_CTX_use_certificate_chain_file failed - aborted");
@@ -309,6 +362,8 @@
SSL_CTX_set_verify(res->ctx, SSL_VERIFY_NONE, NULL);
SSL_CTX_set_mode(res->ctx, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_options(res->ctx, SSL_OP_ALL);
+ SSL_CTX_clear_options(res->ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
+ SSL_CTX_clear_options(res->ctx, SSL_OP_LEGACY_SERVER_CONNECT);
sprintf(lin, "%d-Pound-%ld", getpid(), random());
SSL_CTX_set_session_id_context(res->ctx, (unsigned char *)lin, strlen(lin));
SSL_CTX_set_tmp_rsa_callback(res->ctx, RSA_tmp_callback);
@@ -805,13 +860,23 @@
/* logmsg(LOG_DEBUG, "Received SSL SNI Header for servername %s", servername); */
SSL_set_SSL_CTX(ssl, NULL);
- for(pc = ctx; pc; pc = pc->next)
+ for(pc = ctx; pc; pc = pc->next) {
if(fnmatch(pc->server_name, server_name, 0) == 0) {
/* logmsg(LOG_DEBUG, "Found cert for %s", servername); */
SSL_set_SSL_CTX(ssl, pc->ctx);
return SSL_TLSEXT_ERR_OK;
}
-
+ else if(pc->subjectAltNameCount > 0 && pc->subjectAltNames != NULL) {
+ int i;
+ for(i = 0; i < pc->subjectAltNameCount; i++) {
+ if(fnmatch(pc->subjectAltNames[i], server_name, 0) == 0) {
+ SSL_set_SSL_CTX(ssl, pc->ctx);
+ return SSL_TLSEXT_ERR_OK;
+ }
+ }
+ }
+ }
+
/* logmsg(LOG_DEBUG, "No match for %s, default used", server_name); */
SSL_set_SSL_CTX(ssl, ctx->ctx);
return SSL_TLSEXT_ERR_OK;
@@ -829,11 +894,15 @@
SERVICE *svc;
MATCHER *m;
int has_addr, has_port, has_other;
+ long ssl_op_enable, ssl_op_disable;
struct hostent *host;
struct sockaddr_in in;
struct sockaddr_in6 in6;
POUND_CTX *pc;
+ ssl_op_enable = SSL_OP_ALL;
+ ssl_op_disable = SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION | SSL_OP_LEGACY_SERVER_CONNECT;
+
if((res = (LISTENER *)malloc(sizeof(LISTENER))) == NULL)
conf_err("ListenHTTPS config: out of memory - aborted");
memset(res, 0, sizeof(LISTENER));
@@ -844,6 +913,8 @@
res->err500 = "An internal server error occurred. Please try again later.";
res->err501 = "This method may not be used.";
res->err503 = "The service is not available. Please try again later.";
+ res->allow_client_reneg = 0;
+ res->disable_ssl_v2 = 0;
res->log_level = log_level;
if(regcomp(&res->verb, xhttp[0], REG_ICASE | REG_NEWLINE | REG_EXTENDED))
conf_err("xHTTP bad default pattern - aborted");
@@ -959,6 +1030,9 @@
fclose(fcert);
memset(server_name, '\0', MAXBUF);
X509_NAME_oneline(X509_get_subject_name(x509), server_name, MAXBUF - 1);
+ pc->subjectAltNameCount = 0;
+ pc->subjectAltNames = NULL;
+ pc->subjectAltNames = get_subjectaltnames(x509, &(pc->subjectAltNameCount));
X509_free(x509);
if(!regexec(&CNName, server_name, 4, matches, 0)) {
server_name[matches[1].rm_eo] = '\0';
@@ -1029,6 +1103,25 @@
strcat(res->add_head, "\r\n");
strcat(res->add_head, lin + matches[1].rm_so);
}
+ } else if(!regexec(&DisableSSLv2, lin, 4, matches, 0)) {
+ res->disable_ssl_v2 = 1;
+ } else if(!regexec(&SSLAllowClientRenegotiation, lin, 4, matches, 0)) {
+ res->allow_client_reneg = atoi(lin + matches[1].rm_so);
+ if (res->allow_client_reneg == 2) {
+ ssl_op_enable |= SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
+ ssl_op_disable &= ~SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
+ } else {
+ ssl_op_disable |= SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
+ ssl_op_enable &= ~SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
+ }
+ } else if(!regexec(&SSLHonorCipherOrder, lin, 4, matches, 0)) {
+ if (atoi(lin + matches[1].rm_so)) {
+ ssl_op_enable |= SSL_OP_CIPHER_SERVER_PREFERENCE;
+ ssl_op_disable &= ~SSL_OP_CIPHER_SERVER_PREFERENCE;
+ } else {
+ ssl_op_disable |= SSL_OP_CIPHER_SERVER_PREFERENCE;
+ ssl_op_enable &= ~SSL_OP_CIPHER_SERVER_PREFERENCE;
+ }
} else if(!regexec(&Ciphers, lin, 4, matches, 0)) {
has_other = 1;
if(res->ctx == NULL)
@@ -1105,12 +1198,19 @@
conf_err("ListenHTTPS: can't set SNI callback");
#endif
for(pc = res->ctx; pc; pc = pc->next) {
+ SSL_CTX_set_app_data(pc->ctx, res);
SSL_CTX_set_mode(pc->ctx, SSL_MODE_AUTO_RETRY);
- SSL_CTX_set_options(pc->ctx, SSL_OP_ALL);
+ SSL_CTX_set_options(pc->ctx, ssl_op_enable);
+ SSL_CTX_clear_options(pc->ctx, ssl_op_disable);
+ if (res->disable_ssl_v2 == 1)
+ {
+ SSL_CTX_set_options(pc->ctx, SSL_OP_NO_SSLv2);
+ }
sprintf(lin, "%d-Pound-%ld", getpid(), random());
SSL_CTX_set_session_id_context(pc->ctx, (unsigned char *)lin, strlen(lin));
SSL_CTX_set_tmp_rsa_callback(pc->ctx, RSA_tmp_callback);
SSL_CTX_set_tmp_dh_callback(pc->ctx, DH_tmp_callback);
+ SSL_CTX_set_info_callback(pc->ctx, SSLINFO_callback);
}
return res;
} else {
@@ -1305,6 +1405,9 @@
|| regcomp(&DynScale, "^[ \t]*DynScale[ \t]+([01])[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&ClientCert, "^[ \t]*ClientCert[ \t]+([0-3])[ \t]+([1-9])[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&AddHeader, "^[ \t]*AddHeader[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
+ || regcomp(&SSLAllowClientRenegotiation, "^[ \t]*SSLAllowClientRenegotiation[ \t]+([012])[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
+ || regcomp(&DisableSSLv2, "^[ \t]*DisableSSLv2[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
+ || regcomp(&SSLHonorCipherOrder, "^[ \t]*SSLHonorCipherOrder[ \t]+([01])[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&Ciphers, "^[ \t]*Ciphers[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&CAlist, "^[ \t]*CAlist[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
|| regcomp(&VerifyList, "^[ \t]*VerifyList[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
@@ -1463,6 +1566,9 @@
regfree(&DynScale);
regfree(&ClientCert);
regfree(&AddHeader);
+ regfree(&SSLAllowClientRenegotiation);
+ regfree(&DisableSSLv2);
+ regfree(&SSLHonorCipherOrder);
regfree(&Ciphers);
regfree(&CAlist);
regfree(&VerifyList);
diff -Naur Pound-2.6.orig/http.c Pound-2.6.reneg-ciphers-altnames-nosslv2/http.c
--- Pound-2.6.orig/http.c 2011-12-28 14:57:45.000000000 +0100
+++ Pound-2.6.reneg-ciphers-altnames-nosslv2/http.c 2012-02-15 21:44:46.000000000 +0100
@@ -246,6 +246,11 @@
static int err_to = -1;
+typedef struct {
+ int timeout;
+ RENEG_STATE *reneg_state;
+} BIO_ARG;
+
/*
* Time-out for client read/gets
* the SSL manual says not to do it, but it works well enough anyway...
@@ -253,18 +258,32 @@
static long
bio_callback(BIO *const bio, const int cmd, const char *argp, int argi, long argl, long ret)
{
+ BIO_ARG *bio_arg;
struct pollfd p;
int to, p_res, p_err;
if(cmd != BIO_CB_READ && cmd != BIO_CB_WRITE)
return ret;
+ //logmsg(LOG_NOTICE, "bio callback");
/* a time-out already occured */
- if((to = *((int *)BIO_get_callback_arg(bio)) * 1000) < 0) {
+ if((bio_arg = (BIO_ARG*)BIO_get_callback_arg(bio))==NULL) return ret;
+ if((to = bio_arg->timeout * 1000) < 0) {
errno = ETIMEDOUT;
return -1;
}
+ /* Renegotiations */
+ //logmsg(LOG_NOTICE, "RENEG STATE %d", bio_arg->reneg_state==NULL?-1:*bio_arg->reneg_state);
+ if (bio_arg->reneg_state != NULL && *bio_arg->reneg_state == RENEG_ABORT) {
+ logmsg(LOG_NOTICE, "REJECTING renegotiated session");
+ errno = ECONNABORTED;
+ return -1;
+ }
+
+ //logmsg(LOG_NOTICE, "TO %d", to);
+ if (to == 0) return ret;
+
for(;;) {
memset(&p, 0, sizeof(p));
BIO_get_fd(bio, &p.fd);
@@ -299,7 +318,7 @@
return -1;
case 0:
/* timeout - mark the BIO as unusable for the future */
- BIO_set_callback_arg(bio, (char *)&err_to);
+ bio_arg->timeout = err_to;
#ifdef EBUG
logmsg(LOG_WARNING, "(%lx) CALLBACK timeout poll after %d secs: %s",
pthread_self(), to / 1000, strerror(p_err));
@@ -503,7 +522,14 @@
regmatch_t matches[4];
struct linger l;
double start_req, end_req;
+ RENEG_STATE reneg_state;
+ BIO_ARG ba1, ba2;
+ reneg_state = RENEG_INIT;
+ ba1.reneg_state = &reneg_state;
+ ba2.reneg_state = &reneg_state;
+ ba1.timeout = 0;
+ ba2.timeout = 0;
from_host = ((thr_arg *)arg)->from_host;
memcpy(&from_host_addr, from_host.ai_addr, from_host.ai_addrlen);
from_host.ai_addr = (struct sockaddr *)&from_host_addr;
@@ -512,6 +538,8 @@
free(((thr_arg *)arg)->from_host.ai_addr);
free(arg);
+ if(lstn->allow_client_reneg) reneg_state = RENEG_ALLOW;
+
n = 1;
setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, (void *)&n, sizeof(n));
l.l_onoff = 1;
@@ -535,10 +563,11 @@
close(sock);
return;
}
- if(lstn->to > 0) {
- BIO_set_callback_arg(cl, (char *)&lstn->to);
+ //if(lstn->to > 0) {
+ ba1.timeout = lstn->to;
+ BIO_set_callback_arg(cl, (char *)&ba1);
BIO_set_callback(cl, bio_callback);
- }
+ //}
if(lstn->ctx != NULL) {
if((ssl = SSL_new(lstn->ctx->ctx)) == NULL) {
@@ -547,6 +576,7 @@
BIO_free_all(cl);
return;
}
+ SSL_set_app_data(ssl, &reneg_state);
SSL_set_bio(ssl, cl, cl);
if((bb = BIO_new(BIO_f_ssl())) == NULL) {
logmsg(LOG_WARNING, "(%lx) BIO_new(Bio_f_ssl()) failed", pthread_self());
@@ -848,7 +878,8 @@
}
BIO_set_close(be, BIO_CLOSE);
if(backend->to > 0) {
- BIO_set_callback_arg(be, (char *)&backend->to);
+ ba2.timeout = backend->to;
+ BIO_set_callback_arg(be, (char *)&ba2);
BIO_set_callback(be, bio_callback);
}
if(backend->ctx != NULL) {
diff -Naur Pound-2.6.orig/pound.8 Pound-2.6.reneg-ciphers-altnames-nosslv2/pound.8
--- Pound-2.6.orig/pound.8 2011-12-28 14:57:45.000000000 +0100
+++ Pound-2.6.reneg-ciphers-altnames-nosslv2/pound.8 2012-02-15 21:44:46.000000000 +0100
@@ -501,6 +501,19 @@
and
.I SSL_CTX_set_cipher_list(3).
.TP
+\fBSSLHonorCipherOrder\fR 0|1
+If this value is 1, the server will broadcast a preference to use \fBCiphers\fR in the
+order supplied in the \fBCiphers\fR directive. If the value is 0, the server will treat
+the Ciphers list as the list of Ciphers it will accept, but no preference will be
+indicated. Default value is 0.
+.TP
+\fBSSLAllowClientRenegotiation\fR 0|1|2
+If this value is 0, client initiated renegotiation will be disabled. This will mitigate
+DoS exploits based on client renegotiation, regardless of the patch status of clients and
+servers related to "Secure renegotiation". If the value is 1, secure renegotiation is
+supported. If the value is 2, insecure renegotiation is supported, with unpatched
+clients. /fBThis can lead to a DoS and a Man in the Middle attack!/fR Default value is 0.
+.TP
\fBCAlist\fR "CAcert_file"
Set the list of "trusted" CA's for this server. The CAcert_file is a file containing
a sequence of CA certificates (PEM format). The names of the defined CA certificates
diff -Naur Pound-2.6.orig/pound.h Pound-2.6.reneg-ciphers-altnames-nosslv2/pound.h
--- Pound-2.6.orig/pound.h 2011-12-28 14:57:45.000000000 +0100
+++ Pound-2.6.reneg-ciphers-altnames-nosslv2/pound.h 2012-02-15 21:49:39.000000000 +0100
@@ -380,6 +380,8 @@
SSL_CTX *ctx;
char *server_name;
struct _pound_ctx *next;
+ unsigned int subjectAltNameCount;
+ unsigned char **subjectAltNames;
} POUND_CTX;
/* Listener definition */
@@ -404,6 +406,8 @@
int rewr_dest; /* rewrite destination header */
int disabled; /* true if the listener is disabled */
int log_level; /* log level for this listener */
+ int allow_client_reneg; /* Allow Client SSL Renegotiation */
+ int disable_ssl_v2; /* Disable SSL version 2 */
SERVICE *services;
struct _listener *next;
} LISTENER;
@@ -419,6 +423,9 @@
struct _thr_arg *next;
} thr_arg; /* argument to processing threads: socket, origin */
+/* Track SSL handshare/renegotiation so we can reject client-renegotiations. */
+typedef enum { RENEG_INIT=0, RENEG_REJECT, RENEG_ALLOW, RENEG_ABORT } RENEG_STATE;
+
/* Header types */
#define HEADER_ILLEGAL -1
#define HEADER_OTHER 0
@@ -591,6 +598,11 @@
extern DH *DH_tmp_callback(SSL *, int, int);
/*
+ * Renegotiation callback
+ */
+extern void SSLINFO_callback(const SSL *s, int where, int rc);
+
+/*
* expiration stuff
*/
#ifndef EXPIRE_TO
diff -Naur Pound-2.6.orig/svc.c Pound-2.6.reneg-ciphers-altnames-nosslv2/svc.c
--- Pound-2.6.orig/svc.c 2011-12-28 14:57:45.000000000 +0100
+++ Pound-2.6.reneg-ciphers-altnames-nosslv2/svc.c 2012-02-15 21:44:46.000000000 +0100
@@ -1797,3 +1797,34 @@
close(ctl);
}
}
+
+void
+SSLINFO_callback(const SSL *ssl, int where, int rc)
+{
+ RENEG_STATE *reneg_state;
+
+ /* Get our thr_arg where we're tracking this connection info */
+ if ((reneg_state = (RENEG_STATE *)SSL_get_app_data(ssl)) == NULL) return;
+
+ /* If we're rejecting renegotiations, move to ABORT if Client Hello is being read. */
+ if ((where & SSL_CB_ACCEPT_LOOP) && *reneg_state == RENEG_REJECT) {
+ int state = SSL_get_state(ssl);
+
+ if (state == SSL3_ST_SR_CLNT_HELLO_A || state == SSL23_ST_SR_CLNT_HELLO_A) {
+ *reneg_state = RENEG_ABORT;
+ logmsg(LOG_WARNING,"rejecting client initiated renegotiation");
+ }
+ }
+ else if (where & SSL_CB_HANDSHAKE_DONE && *reneg_state == RENEG_INIT) {
+ // Reject any followup renegotiations
+ *reneg_state = RENEG_REJECT;
+ }
+
+ //if (where & SSL_CB_HANDSHAKE_START) logmsg(LOG_DEBUG, "handshake start");
+ //else if (where & SSL_CB_HANDSHAKE_DONE) logmsg(LOG_DEBUG, "handshake done");
+ //else if (where & SSL_CB_LOOP) logmsg(LOG_DEBUG, "loop");
+ //else if (where & SSL_CB_READ) logmsg(LOG_DEBUG, "read");
+ //else if (where & SSL_CB_WRITE) logmsg(LOG_DEBUG, "write");
+ //else if (where & SSL_CB_ALERT) logmsg(LOG_DEBUG, "alert");
+}
+

882
src/patches/openssl-0.9.8u-cryptodev.patch Normal file
View File

@@ -0,0 +1,882 @@
diff -Naur openssl-0.9.8u.org/crypto/engine/eng_all.c openssl-0.9.8u/crypto/engine/eng_all.c
--- openssl-0.9.8u.org/crypto/engine/eng_all.c 2010-03-01 01:30:11.000000000 +0100
+++ openssl-0.9.8u/crypto/engine/eng_all.c 2012-03-27 14:07:11.000000000 +0200
@@ -113,7 +113,6 @@
#endif
}
-#if defined(__OpenBSD__) || defined(__FreeBSD__)
void ENGINE_setup_bsd_cryptodev(void) {
static int bsd_cryptodev_default_loaded = 0;
if (!bsd_cryptodev_default_loaded) {
@@ -122,4 +121,3 @@
}
bsd_cryptodev_default_loaded=1;
}
-#endif
diff -Naur openssl-0.9.8u.org/crypto/engine/eng_cryptodev.c openssl-0.9.8u/crypto/engine/eng_cryptodev.c
--- openssl-0.9.8u.org/crypto/engine/eng_cryptodev.c 2012-03-06 14:22:32.000000000 +0100
+++ openssl-0.9.8u/crypto/engine/eng_cryptodev.c 2012-03-27 14:02:59.000000000 +0200
@@ -2,6 +2,7 @@
* Copyright (c) 2002 Bob Beck <beck@openbsd.org>
* Copyright (c) 2002 Theo de Raadt
* Copyright (c) 2002 Markus Friedl
+ * Copyright (c) 2012 Nikos Mavrogiannopoulos
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -30,10 +31,6 @@
#include <openssl/engine.h>
#include <openssl/evp.h>
#include <openssl/bn.h>
-#include <openssl/dsa.h>
-#include <openssl/rsa.h>
-#include <openssl/dh.h>
-#include <openssl/err.h>
#if (defined(__unix__) || defined(unix)) && !defined(USG) && \
(defined(OpenBSD) || defined(__FreeBSD__))
@@ -59,6 +56,10 @@
#include <sys/types.h>
#include <crypto/cryptodev.h>
+#include <crypto/dh/dh.h>
+#include <crypto/dsa/dsa.h>
+#include <crypto/err/err.h>
+#include <crypto/rsa/rsa.h>
#include <sys/ioctl.h>
#include <errno.h>
#include <stdio.h>
@@ -72,6 +73,12 @@
struct dev_crypto_state {
struct session_op d_sess;
int d_fd;
+
+#ifdef USE_CRYPTODEV_DIGESTS
+ unsigned char digest_res[HASH_MAX_LEN];
+ char *mac_data;
+ int mac_len;
+#endif
};
static u_int32_t cryptodev_asymfeat = 0;
@@ -79,15 +86,14 @@
static int get_asym_dev_crypto(void);
static int open_dev_crypto(void);
static int get_dev_crypto(void);
-static int cryptodev_max_iv(int cipher);
-static int cryptodev_key_length_valid(int cipher, int len);
-static int cipher_nid_to_cryptodev(int nid);
static int get_cryptodev_ciphers(const int **cnids);
-/*static int get_cryptodev_digests(const int **cnids);*/
+#ifdef USE_CRYPTODEV_DIGESTS
+static int get_cryptodev_digests(const int **cnids);
+#endif
static int cryptodev_usable_ciphers(const int **nids);
static int cryptodev_usable_digests(const int **nids);
static int cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
- const unsigned char *in, unsigned int inl);
+ const unsigned char *in, size_t inl);
static int cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc);
static int cryptodev_cleanup(EVP_CIPHER_CTX *ctx);
@@ -121,7 +127,7 @@
static int cryptodev_dh_compute_key(unsigned char *key,
const BIGNUM *pub_key, DH *dh);
static int cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p,
- void (*f)());
+ void (*f)(void));
void ENGINE_load_cryptodev(void);
static const ENGINE_CMD_DEFN cryptodev_defns[] = {
@@ -134,27 +140,38 @@
int ivmax;
int keylen;
} ciphers[] = {
+ { CRYPTO_ARC4, NID_rc4, 0, 16, },
{ CRYPTO_DES_CBC, NID_des_cbc, 8, 8, },
{ CRYPTO_3DES_CBC, NID_des_ede3_cbc, 8, 24, },
{ CRYPTO_AES_CBC, NID_aes_128_cbc, 16, 16, },
+ { CRYPTO_AES_CBC, NID_aes_192_cbc, 16, 24, },
+ { CRYPTO_AES_CBC, NID_aes_256_cbc, 16, 32, },
{ CRYPTO_BLF_CBC, NID_bf_cbc, 8, 16, },
{ CRYPTO_CAST_CBC, NID_cast5_cbc, 8, 16, },
{ CRYPTO_SKIPJACK_CBC, NID_undef, 0, 0, },
{ 0, NID_undef, 0, 0, },
};
-#if 0
+#ifdef USE_CRYPTODEV_DIGESTS
static struct {
int id;
int nid;
+ int digestlen;
} digests[] = {
- { CRYPTO_SHA1_HMAC, NID_hmacWithSHA1, },
- { CRYPTO_RIPEMD160_HMAC, NID_ripemd160, },
- { CRYPTO_MD5_KPDK, NID_undef, },
- { CRYPTO_SHA1_KPDK, NID_undef, },
- { CRYPTO_MD5, NID_md5, },
- { CRYPTO_SHA1, NID_undef, },
- { 0, NID_undef, },
+#if 0
+ /* HMAC is not supported */
+ { CRYPTO_MD5_HMAC, NID_hmacWithMD5, 16},
+ { CRYPTO_SHA1_HMAC, NID_hmacWithSHA1, 20},
+ { CRYPTO_SHA2_256_HMAC, NID_hmacWithSHA256, 32},
+ { CRYPTO_SHA2_384_HMAC, NID_hmacWithSHA384, 48},
+ { CRYPTO_SHA2_512_HMAC, NID_hmacWithSHA512, 64},
+#endif
+ { CRYPTO_MD5, NID_md5, 16},
+ { CRYPTO_SHA1, NID_sha1, 20},
+ { CRYPTO_SHA2_256, NID_sha256, 32},
+ { CRYPTO_SHA2_384, NID_sha384, 48},
+ { CRYPTO_SHA2_512, NID_sha512, 64},
+ { 0, NID_undef, 0},
};
#endif
@@ -186,6 +203,7 @@
if ((fd = open_dev_crypto()) == -1)
return (-1);
+#ifndef CRIOGET_NOT_NEEDED
if (ioctl(fd, CRIOGET, &retfd) == -1)
return (-1);
@@ -194,9 +212,19 @@
close(retfd);
return (-1);
}
+#else
+ retfd = fd;
+#endif
return (retfd);
}
+static void put_dev_crypto(int fd)
+{
+#ifndef CRIOGET_NOT_NEEDED
+ close(fd);
+#endif
+}
+
/* Caching version for asym operations */
static int
get_asym_dev_crypto(void)
@@ -209,50 +237,6 @@
}
/*
- * XXXX this needs to be set for each alg - and determined from
- * a running card.
- */
-static int
-cryptodev_max_iv(int cipher)
-{
- int i;
-
- for (i = 0; ciphers[i].id; i++)
- if (ciphers[i].id == cipher)
- return (ciphers[i].ivmax);
- return (0);
-}
-
-/*
- * XXXX this needs to be set for each alg - and determined from
- * a running card. For now, fake it out - but most of these
- * for real devices should return 1 for the supported key
- * sizes the device can handle.
- */
-static int
-cryptodev_key_length_valid(int cipher, int len)
-{
- int i;
-
- for (i = 0; ciphers[i].id; i++)
- if (ciphers[i].id == cipher)
- return (ciphers[i].keylen == len);
- return (0);
-}
-
-/* convert libcrypto nids to cryptodev */
-static int
-cipher_nid_to_cryptodev(int nid)
-{
- int i;
-
- for (i = 0; ciphers[i].id; i++)
- if (ciphers[i].nid == nid)
- return (ciphers[i].id);
- return (0);
-}
-
-/*
* Find out what ciphers /dev/crypto will let us have a session for.
* XXX note, that some of these openssl doesn't deal with yet!
* returning them here is harmless, as long as we return NULL
@@ -264,13 +248,14 @@
static int nids[CRYPTO_ALGORITHM_MAX];
struct session_op sess;
int fd, i, count = 0;
+ unsigned char fake_key[CRYPTO_CIPHER_MAX_KEY_LEN];
if ((fd = get_dev_crypto()) < 0) {
*cnids = NULL;
return (0);
}
memset(&sess, 0, sizeof(sess));
- sess.key = (caddr_t)"123456781234567812345678";
+ sess.key = (void*)fake_key;
for (i = 0; ciphers[i].id && count < CRYPTO_ALGORITHM_MAX; i++) {
if (ciphers[i].nid == NID_undef)
@@ -282,7 +267,7 @@
ioctl(fd, CIOCFSESSION, &sess.ses) != -1)
nids[count++] = ciphers[i].nid;
}
- close(fd);
+ put_dev_crypto(fd);
if (count > 0)
*cnids = nids;
@@ -291,7 +276,7 @@
return (count);
}
-#if 0 /* unused */
+#ifdef USE_CRYPTODEV_DIGESTS
/*
* Find out what digests /dev/crypto will let us have a session for.
* XXX note, that some of these openssl doesn't deal with yet!
@@ -302,6 +287,7 @@
get_cryptodev_digests(const int **cnids)
{
static int nids[CRYPTO_ALGORITHM_MAX];
+ unsigned char fake_key[CRYPTO_CIPHER_MAX_KEY_LEN];
struct session_op sess;
int fd, i, count = 0;
@@ -310,16 +296,18 @@
return (0);
}
memset(&sess, 0, sizeof(sess));
+ sess.mackey = fake_key;
for (i = 0; digests[i].id && count < CRYPTO_ALGORITHM_MAX; i++) {
if (digests[i].nid == NID_undef)
continue;
sess.mac = digests[i].id;
+ sess.mackeylen = 8;
sess.cipher = 0;
if (ioctl(fd, CIOCGSESSION, &sess) != -1 &&
ioctl(fd, CIOCFSESSION, &sess.ses) != -1)
nids[count++] = digests[i].nid;
}
- close(fd);
+ put_dev_crypto(fd);
if (count > 0)
*cnids = nids;
@@ -327,8 +315,7 @@
*cnids = NULL;
return (count);
}
-
-#endif
+#endif /* 0 */
/*
* Find the useable ciphers|digests from dev/crypto - this is the first
@@ -360,6 +347,9 @@
static int
cryptodev_usable_digests(const int **nids)
{
+#ifdef USE_CRYPTODEV_DIGESTS
+ return (get_cryptodev_digests(nids));
+#else
/*
* XXXX just disable all digests for now, because it sucks.
* we need a better way to decide this - i.e. I may not
@@ -374,11 +364,12 @@
*/
*nids = NULL;
return (0);
+#endif
}
static int
cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
- const unsigned char *in, unsigned int inl)
+ const unsigned char *in, size_t inl)
{
struct crypt_op cryp;
struct dev_crypto_state *state = ctx->cipher_data;
@@ -398,14 +389,14 @@
cryp.ses = sess->ses;
cryp.flags = 0;
cryp.len = inl;
- cryp.src = (caddr_t) in;
- cryp.dst = (caddr_t) out;
+ cryp.src = (void*) in;
+ cryp.dst = (void*) out;
cryp.mac = 0;
cryp.op = ctx->encrypt ? COP_ENCRYPT : COP_DECRYPT;
if (ctx->cipher->iv_len) {
- cryp.iv = (caddr_t) ctx->iv;
+ cryp.iv = (void*) ctx->iv;
if (!ctx->encrypt) {
iiv = in + inl - ctx->cipher->iv_len;
memcpy(save_iv, iiv, ctx->cipher->iv_len);
@@ -436,28 +427,32 @@
{
struct dev_crypto_state *state = ctx->cipher_data;
struct session_op *sess = &state->d_sess;
- int cipher;
+ int cipher = -1, i;
- if ((cipher = cipher_nid_to_cryptodev(ctx->cipher->nid)) == NID_undef)
- return (0);
-
- if (ctx->cipher->iv_len > cryptodev_max_iv(cipher))
- return (0);
+ for (i = 0; ciphers[i].id; i++)
+ if (ctx->cipher->nid == ciphers[i].nid &&
+ ctx->cipher->iv_len <= ciphers[i].ivmax &&
+ ctx->key_len == ciphers[i].keylen) {
+ cipher = ciphers[i].id;
+ break;
+ }
- if (!cryptodev_key_length_valid(cipher, ctx->key_len))
+ if (!ciphers[i].id) {
+ state->d_fd = -1;
return (0);
+ }
memset(sess, 0, sizeof(struct session_op));
if ((state->d_fd = get_dev_crypto()) < 0)
return (0);
- sess->key = (char *)key;
+ sess->key = (void*)key;
sess->keylen = ctx->key_len;
sess->cipher = cipher;
if (ioctl(state->d_fd, CIOCGSESSION, sess) == -1) {
- close(state->d_fd);
+ put_dev_crypto(state->d_fd);
state->d_fd = -1;
return (0);
}
@@ -494,7 +489,7 @@
} else {
ret = 1;
}
- close(state->d_fd);
+ put_dev_crypto(state->d_fd);
state->d_fd = -1;
return (ret);
@@ -505,6 +500,20 @@
* gets called when libcrypto requests a cipher NID.
*/
+/* RC4 */
+const EVP_CIPHER cryptodev_rc4 = {
+ NID_rc4,
+ 1, 16, 0,
+ EVP_CIPH_VARIABLE_LENGTH,
+ cryptodev_init_key,
+ cryptodev_cipher,
+ cryptodev_cleanup,
+ sizeof(struct dev_crypto_state),
+ NULL,
+ NULL,
+ NULL
+};
+
/* DES CBC EVP */
const EVP_CIPHER cryptodev_des_cbc = {
NID_des_cbc,
@@ -572,6 +581,32 @@
NULL
};
+const EVP_CIPHER cryptodev_aes_192_cbc = {
+ NID_aes_192_cbc,
+ 16, 24, 16,
+ EVP_CIPH_CBC_MODE,
+ cryptodev_init_key,
+ cryptodev_cipher,
+ cryptodev_cleanup,
+ sizeof(struct dev_crypto_state),
+ EVP_CIPHER_set_asn1_iv,
+ EVP_CIPHER_get_asn1_iv,
+ NULL
+};
+
+const EVP_CIPHER cryptodev_aes_256_cbc = {
+ NID_aes_256_cbc,
+ 16, 32, 16,
+ EVP_CIPH_CBC_MODE,
+ cryptodev_init_key,
+ cryptodev_cipher,
+ cryptodev_cleanup,
+ sizeof(struct dev_crypto_state),
+ EVP_CIPHER_set_asn1_iv,
+ EVP_CIPHER_get_asn1_iv,
+ NULL
+};
+
/*
* Registered by the ENGINE when used to find out how to deal with
* a particular NID in the ENGINE. this says what we'll do at the
@@ -585,6 +620,9 @@
return (cryptodev_usable_ciphers(nids));
switch (nid) {
+ case NID_rc4:
+ *cipher = &cryptodev_rc4;
+ break;
case NID_des_ede3_cbc:
*cipher = &cryptodev_3des_cbc;
break;
@@ -600,6 +638,12 @@
case NID_aes_128_cbc:
*cipher = &cryptodev_aes_cbc;
break;
+ case NID_aes_192_cbc:
+ *cipher = &cryptodev_aes_192_cbc;
+ break;
+ case NID_aes_256_cbc:
+ *cipher = &cryptodev_aes_256_cbc;
+ break;
default:
*cipher = NULL;
break;
@@ -607,6 +651,286 @@
return (*cipher != NULL);
}
+
+#ifdef USE_CRYPTODEV_DIGESTS
+
+/* convert digest type to cryptodev */
+static int
+digest_nid_to_cryptodev(int nid)
+{
+ int i;
+
+ for (i = 0; digests[i].id; i++)
+ if (digests[i].nid == nid)
+ return (digests[i].id);
+ return (0);
+}
+
+
+static int cryptodev_digest_init(EVP_MD_CTX *ctx)
+{
+ struct dev_crypto_state *state = ctx->md_data;
+ struct session_op *sess = &state->d_sess;
+ int digest;
+
+ if ((digest = digest_nid_to_cryptodev(ctx->digest->type)) == NID_undef){
+ printf("cryptodev_digest_init: Can't get digest \n");
+ return (0);
+ }
+ memset(state, 0, sizeof(struct dev_crypto_state));
+
+ if ((state->d_fd = get_dev_crypto()) < 0) {
+ printf("cryptodev_digest_init: Can't get Dev \n");
+ return (0);
+ }
+
+ sess->mackey = NULL;
+ sess->mackeylen = 0;
+ sess->mac = digest;
+
+ if (ioctl(state->d_fd, CIOCGSESSION, sess) < 0) {
+ put_dev_crypto(state->d_fd);
+ state->d_fd = -1;
+ printf("cryptodev_digest_init: Open session failed\n");
+ return (0);
+ }
+
+ return (1);
+}
+
+static int cryptodev_digest_update(EVP_MD_CTX *ctx, const void *data,
+ size_t count)
+{
+ struct dev_crypto_state *state = ctx->md_data;
+ struct crypt_op cryp;
+ struct session_op *sess = &state->d_sess;
+
+ if (!data || state->d_fd < 0) {
+ printf("cryptodev_digest_update: illegal inputs \n");
+ return (0);
+ }
+
+ if (!count) {
+ return (1);
+ }
+
+ if (!(ctx->flags & EVP_MD_CTX_FLAG_ONESHOT)) {
+ /* if application doesn't support one buffer */
+ state->mac_data = OPENSSL_realloc(state->mac_data, state->mac_len + count);
+
+ if (!state->mac_data) {
+ printf("cryptodev_digest_update: realloc failed\n");
+ return (0);
+ }
+
+ memcpy(state->mac_data + state->mac_len, data, count);
+ state->mac_len += count;
+
+ return (1);
+ }
+
+ memset(&cryp, 0, sizeof(cryp));
+
+ cryp.ses = sess->ses;
+ cryp.flags = 0;
+ cryp.len = count;
+ cryp.src = (void*) data;
+ cryp.dst = NULL;
+ cryp.mac = (void*) state->digest_res;
+ if (ioctl(state->d_fd, CIOCCRYPT, &cryp) < 0) {
+ printf("cryptodev_digest_update: digest failed\n");
+ return (0);
+ }
+ return (1);
+}
+
+
+static int cryptodev_digest_final(EVP_MD_CTX *ctx, unsigned char *md)
+{
+ struct crypt_op cryp;
+ struct dev_crypto_state *state = ctx->md_data;
+ struct session_op *sess = &state->d_sess;
+
+ if (!md || state->d_fd < 0) {
+ printf("cryptodev_digest_final: illegal input\n");
+ return(0);
+ }
+
+ if (! (ctx->flags & EVP_MD_CTX_FLAG_ONESHOT) ) {
+ /* if application doesn't support one buffer */
+ memset(&cryp, 0, sizeof(cryp));
+ cryp.ses = sess->ses;
+ cryp.flags = 0;
+ cryp.len = state->mac_len;
+ cryp.src = state->mac_data;
+ cryp.dst = NULL;
+ cryp.mac = (void*)md;
+ if (ioctl(state->d_fd, CIOCCRYPT, &cryp) < 0) {
+ printf("cryptodev_digest_final: digest failed\n");
+ return (0);
+ }
+
+ return 1;
+ }
+
+ memcpy(md, state->digest_res, ctx->digest->md_size);
+
+ return 1;
+}
+
+
+static int cryptodev_digest_cleanup(EVP_MD_CTX *ctx)
+{
+ int ret = 1;
+ struct dev_crypto_state *state = ctx->md_data;
+ struct session_op *sess = &state->d_sess;
+
+ if (state == NULL)
+ return 0;
+
+ if (state->d_fd < 0) {
+ printf("cryptodev_digest_cleanup: illegal input\n");
+ return (0);
+ }
+
+ if (state->mac_data) {
+ OPENSSL_free(state->mac_data);
+ state->mac_data = NULL;
+ state->mac_len = 0;
+ }
+
+ if (ioctl(state->d_fd, CIOCFSESSION, &sess->ses) < 0) {
+ printf("cryptodev_digest_cleanup: failed to close session\n");
+ ret = 0;
+ } else {
+ ret = 1;
+ }
+ put_dev_crypto(state->d_fd);
+ state->d_fd = -1;
+
+ return (ret);
+}
+
+static int cryptodev_digest_copy(EVP_MD_CTX *to,const EVP_MD_CTX *from)
+{
+ struct dev_crypto_state *fstate = from->md_data;
+ struct dev_crypto_state *dstate = to->md_data;
+ struct session_op *sess;
+ int digest;
+
+ if (dstate == NULL || fstate == NULL)
+ return 1;
+
+ memcpy(dstate, fstate, sizeof(struct dev_crypto_state));
+
+ sess = &dstate->d_sess;
+
+ digest = digest_nid_to_cryptodev(to->digest->type);
+
+ sess->mackey = NULL;
+ sess->mackeylen = 0;
+ sess->mac = digest;
+
+ dstate->d_fd = get_dev_crypto();
+
+ if (ioctl(dstate->d_fd, CIOCGSESSION, sess) < 0) {
+ put_dev_crypto(dstate->d_fd);
+ dstate->d_fd = -1;
+ printf("cryptodev_digest_init: Open session failed\n");
+ return (0);
+ }
+
+ if (fstate->mac_len != 0) {
+ if (fstate->mac_data != NULL)
+ {
+ dstate->mac_data = OPENSSL_malloc(fstate->mac_len);
+ memcpy(dstate->mac_data, fstate->mac_data, fstate->mac_len);
+ dstate->mac_len = fstate->mac_len;
+ }
+ }
+
+ return 1;
+}
+
+
+static const EVP_MD cryptodev_sha1 = {
+ NID_sha1,
+ NID_sha1WithRSAEncryption,
+ SHA_DIGEST_LENGTH,
+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT|EVP_MD_FLAG_ONESHOT,
+ cryptodev_digest_init,
+ cryptodev_digest_update,
+ cryptodev_digest_final,
+ cryptodev_digest_copy,
+ cryptodev_digest_cleanup,
+ EVP_PKEY_RSA_method,
+ SHA_CBLOCK,
+ sizeof(EVP_MD *)+sizeof(struct dev_crypto_state),
+};
+
+static const EVP_MD cryptodev_sha256 = {
+ NID_sha256,
+ NID_sha256WithRSAEncryption,
+ SHA256_DIGEST_LENGTH,
+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT|EVP_MD_FLAG_ONESHOT,
+ cryptodev_digest_init,
+ cryptodev_digest_update,
+ cryptodev_digest_final,
+ cryptodev_digest_copy,
+ cryptodev_digest_cleanup,
+ EVP_PKEY_RSA_method,
+ SHA256_CBLOCK,
+ sizeof(EVP_MD *)+sizeof(struct dev_crypto_state),
+};
+
+static const EVP_MD cryptodev_sha384 = {
+ NID_sha384,
+ NID_sha384WithRSAEncryption,
+ SHA384_DIGEST_LENGTH,
+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT|EVP_MD_FLAG_ONESHOT,
+ cryptodev_digest_init,
+ cryptodev_digest_update,
+ cryptodev_digest_final,
+ cryptodev_digest_copy,
+ cryptodev_digest_cleanup,
+ EVP_PKEY_RSA_method,
+ SHA512_CBLOCK,
+ sizeof(EVP_MD *)+sizeof(struct dev_crypto_state),
+};
+
+static const EVP_MD cryptodev_sha512 = {
+ NID_sha512,
+ NID_sha512WithRSAEncryption,
+ SHA512_DIGEST_LENGTH,
+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT|EVP_MD_FLAG_ONESHOT,
+ cryptodev_digest_init,
+ cryptodev_digest_update,
+ cryptodev_digest_final,
+ cryptodev_digest_copy,
+ cryptodev_digest_cleanup,
+ EVP_PKEY_RSA_method,
+ SHA512_CBLOCK,
+ sizeof(EVP_MD *)+sizeof(struct dev_crypto_state),
+};
+
+static const EVP_MD cryptodev_md5 = {
+ NID_md5,
+ NID_md5WithRSAEncryption,
+ 16 /* MD5_DIGEST_LENGTH */,
+ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT|EVP_MD_FLAG_ONESHOT,
+ cryptodev_digest_init,
+ cryptodev_digest_update,
+ cryptodev_digest_final,
+ cryptodev_digest_copy,
+ cryptodev_digest_cleanup,
+ EVP_PKEY_RSA_method,
+ 64 /* MD5_CBLOCK */,
+ sizeof(EVP_MD *)+sizeof(struct dev_crypto_state),
+};
+
+#endif /* USE_CRYPTODEV_DIGESTS */
+
+
static int
cryptodev_engine_digests(ENGINE *e, const EVP_MD **digest,
const int **nids, int nid)
@@ -615,10 +939,24 @@
return (cryptodev_usable_digests(nids));
switch (nid) {
+#ifdef USE_CRYPTODEV_DIGESTS
case NID_md5:
- *digest = NULL; /* need to make a clean md5 critter */
+ *digest = &cryptodev_md5;
break;
+ case NID_sha1:
+ *digest = &cryptodev_sha1;
+ break;
+ case NID_sha256:
+ *digest = &cryptodev_sha256;
+ break;
+ case NID_sha384:
+ *digest = &cryptodev_sha384;
+ break;
+ case NID_sha512:
+ *digest = &cryptodev_sha512;
+ break;
default:
+#endif /* USE_CRYPTODEV_DIGESTS */
*digest = NULL;
break;
}
@@ -646,8 +984,9 @@
b = malloc(bytes);
if (b == NULL)
return (1);
+ memset(b, 0, bytes);
- crp->crp_p = (char *)b;
+ crp->crp_p = (void*) b;
crp->crp_nbits = bits;
for (i = 0, j = 0; i < a->top; i++) {
@@ -690,7 +1029,7 @@
{
int i;
- for (i = 0; i <= kop->crk_iparams + kop->crk_oparams; i++) {
+ for (i = 0; i < kop->crk_iparams + kop->crk_oparams; i++) {
if (kop->crk_param[i].crp_p)
free(kop->crk_param[i].crp_p);
kop->crk_param[i].crp_p = NULL;
@@ -776,8 +1115,9 @@
cryptodev_rsa_nocrt_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
{
int r;
-
+ ctx = BN_CTX_new();
r = cryptodev_bn_mod_exp(r0, I, rsa->d, rsa->n, ctx, NULL);
+ BN_CTX_free(ctx);
return (r);
}
@@ -899,7 +1239,7 @@
kop.crk_op = CRK_DSA_SIGN;
/* inputs: dgst dsa->p dsa->q dsa->g dsa->priv_key */
- kop.crk_param[0].crp_p = (caddr_t)dgst;
+ kop.crk_param[0].crp_p = (void*)dgst;
kop.crk_param[0].crp_nbits = dlen * 8;
if (bn2crparam(dsa->p, &kop.crk_param[1]))
goto err;
@@ -939,7 +1279,7 @@
kop.crk_op = CRK_DSA_VERIFY;
/* inputs: dgst dsa->p dsa->q dsa->g dsa->pub_key sig->r sig->s */
- kop.crk_param[0].crp_p = (caddr_t)dgst;
+ kop.crk_param[0].crp_p = (void*)dgst;
kop.crk_param[0].crp_nbits = dlen * 8;
if (bn2crparam(dsa->p, &kop.crk_param[1]))
goto err;
@@ -1017,7 +1357,7 @@
goto err;
kop.crk_iparams = 3;
- kop.crk_param[3].crp_p = (char *)key;
+ kop.crk_param[3].crp_p = (void*) key;
kop.crk_param[3].crp_nbits = keylen * 8;
kop.crk_oparams = 1;
@@ -1048,7 +1388,7 @@
* but I expect we'll want some options soon.
*/
static int
-cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)())
+cryptodev_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
{
#ifdef HAVE_SYSLOG_R
struct syslog_data sd = SYSLOG_DATA_INIT;
@@ -1084,14 +1424,14 @@
* find out what asymmetric crypto algorithms we support
*/
if (ioctl(fd, CIOCASYMFEAT, &cryptodev_asymfeat) == -1) {
- close(fd);
+ put_dev_crypto(fd);
ENGINE_free(engine);
return;
}
- close(fd);
+ put_dev_crypto(fd);
if (!ENGINE_set_id(engine, "cryptodev") ||
- !ENGINE_set_name(engine, "BSD cryptodev engine") ||
+ !ENGINE_set_name(engine, "cryptodev engine") ||
!ENGINE_set_ciphers(engine, cryptodev_engine_ciphers) ||
!ENGINE_set_digests(engine, cryptodev_engine_digests) ||
!ENGINE_set_ctrl_function(engine, cryptodev_ctrl) ||
diff -Naur openssl-0.9.8u.org/crypto/engine/engine.h openssl-0.9.8u/crypto/engine/engine.h
--- openssl-0.9.8u.org/crypto/engine/engine.h 2010-02-09 15:18:15.000000000 +0100
+++ openssl-0.9.8u/crypto/engine/engine.h 2012-03-27 14:05:15.000000000 +0200
@@ -705,9 +705,7 @@
* values. */
void *ENGINE_get_static_state(void);
-#if defined(__OpenBSD__) || defined(__FreeBSD__)
void ENGINE_setup_bsd_cryptodev(void);
-#endif
/* BEGIN ERROR CODES */
/* The following lines are auto generated by the script mkerr.pl. Any changes
diff -Naur openssl-0.9.8u.org/crypto/evp/c_all.c openssl-0.9.8u/crypto/evp/c_all.c
--- openssl-0.9.8u.org/crypto/evp/c_all.c 2004-08-29 18:36:04.000000000 +0200
+++ openssl-0.9.8u/crypto/evp/c_all.c 2012-03-27 14:05:15.000000000 +0200
@@ -83,8 +83,6 @@
OpenSSL_add_all_ciphers();
OpenSSL_add_all_digests();
#ifndef OPENSSL_NO_ENGINE
-# if defined(__OpenBSD__) || defined(__FreeBSD__)
ENGINE_setup_bsd_cryptodev();
-# endif
#endif
}