webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-27 11:13:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata

Browse Source
This commit is contained in:
Stefan Schantl
2019-01-21 13:04:13 +01:00
parent b749416ad7 f6326e4f77
commit c1a3401235
116 changed files with 2471 additions and 1649 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/initscripts/packages/keepalived
View File

@@ -13,6 +13,12 @@
case "${1}" in
start)
# Load IPVS module
modprobe ip_vs
# Enable connection tracking for IPVS
sysctl -w net.ipv4.vs.conntrack=1 &>/dev/null
boot_mesg "Starting keepalive daemon..."
loadproc /usr/sbin/keepalived ${KEEPALIVED_OPTIONS}
;;

41
src/initscripts/system/conntrackd Executable file
View File

@@ -0,0 +1,41 @@
#!/bin/sh
########################################################################
# Begin $rc_base/init.d/conntrackd
########################################################################
. /etc/sysconfig/rc
. ${rc_functions}
case "${1}" in
start)
# Don't attempt to launch the daemon when we have no configuration
if [ ! -s "/etc/conntrackd/conntrackd.conf" ]; then
exit 0
fi
boot_mesg "Starting Connection Tracking Daemon..."
loadproc /usr/sbin/conntrackd -d
;;
stop)
boot_mesg "Stopping Connection Tracking Daemon..."
killproc /usr/sbin/conntrackd
;;
restart)
${0} stop
sleep 1
${0} start
;;
status)
statusproc /usr/sbin/conntrackd
;;
*)
echo "Usage: ${0} {start|stop|restart|status}"
exit 1
;;
esac
# End $rc_base/init.d/conntrackd

12
src/patches/openssl-1.0.2h-weak-ciphers.patch
View File

@@ -1,12 +0,0 @@
diff -Naur openssl-1.0.2h.org/ssl/ssl.h openssl-1.0.2h/ssl/ssl.h
--- openssl-1.0.2h.org/ssl/ssl.h 2016-05-03 15:44:42.000000000 +0200
+++ openssl-1.0.2h/ssl/ssl.h 2016-05-03 18:49:10.393302264 +0200
@@ -338,7 +338,7 @@
* The following cipher list is used by default. It also is substituted when
* an application-defined cipher list string starts with 'DEFAULT'.
*/
-# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2"
+# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2:!RC2:!DES"
/*
* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
* starts with a reasonable order, and all we have to do for DEFAULT is

11
src/patches/openssl-1.1.0g-weak-ciphers.patch
View File

@@ -1,11 +0,0 @@
--- openssl-1.1.0g-orig/include/openssl/ssl.h 2017-11-02 15:29:05.000000000 +0100
+++ openssl-1.1.0g/include/openssl/ssl.h 2018-02-27 18:23:43.522649728 +0100
@@ -194,7 +194,7 @@
* The following cipher list is used by default. It also is substituted when
* an application-defined cipher list string starts with 'DEFAULT'.
*/
-# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
+# define SSL_DEFAULT_CIPHER_LIST "kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:+kRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!kECDH:!IDEA:!SEED:!RC4:!kDH:!DSS"
/*
* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
* starts with a reasonable order, and all we have to do for DEFAULT is

18
src/patches/openssl-1.1.1a-default-cipherlist.patch Normal file
View File

@@ -0,0 +1,18 @@
--- openssl-1.1.1.orig/include/openssl/ssl.h 2018-09-11 14:48:23.000000000 +0200
+++ openssl-1.1.1/include/openssl/ssl.h 2018-11-05 16:55:03.935513159 +0100
@@ -170,11 +170,11 @@
* an application-defined cipher list string starts with 'DEFAULT'.
* This applies to ciphersuites for TLSv1.2 and below.
*/
-# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
+# define SSL_DEFAULT_CIPHER_LIST "TLSv1.3:CHACHA20:HIGH:+DH:+aRSA:+SHA:+kRSA:!aNULL:!eNULL:!SRP:!PSK:!DSS:!AESCCM"
/* This is the default set of TLSv1.3 ciphersuites */
# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
-# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
- "TLS_CHACHA20_POLY1305_SHA256:" \
+# define TLS_DEFAULT_CIPHERSUITES "TLS_CHACHA20_POLY1305_SHA256:" \
+ "TLS_AES_256_GCM_SHA384:" \
"TLS_AES_128_GCM_SHA256"
# else
# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \

22
src/patches/python-2.7.13-getentropy.patch
View File

@@ -1,22 +0,0 @@
diff --git a/Python/random.c b/Python/random.c
index 2f83b5d..4cae217 100644
--- a/Python/random.c
+++ b/Python/random.c
@@ -97,8 +97,15 @@ win32_urandom(unsigned char *buffer, Py_ssize_t size, int raise)
}
/* Issue #25003: Don't use getentropy() on Solaris (available since
- * Solaris 11.3), it is blocking whereas os.urandom() should not block. */
-#elif defined(HAVE_GETENTROPY) && !defined(sun)
+ Solaris 11.3), it is blocking whereas os.urandom() should not block.
+
+ Issue #29188: Don't use getentropy() on Linux since the glibc 2.24
+ implements it with the getrandom() syscall which can fail with ENOSYS,
+ and this error is not supported in py_getentropy() and getrandom() is called
+ with flags=0 which blocks until system urandom is initialized, which is not
+ the desired behaviour to seed the Python hash secret nor for os.urandom():
+ see the PEP 524 which was only implemented in Python 3.6. */
+#elif defined(HAVE_GETENTROPY) && !defined(sun) && !defined(linux)
#define PY_GETENTROPY 1
/* Fill buffer with size pseudo-random bytes generated by getentropy().

91
src/patches/squid/01_Fix_netdb_exchange_with_a_TLS_cache_peer_307.patch
View File

@@ -1,91 +0,0 @@
commit bc54d7a6f7ec510a25966f2f800d3ea874657546
Author: chi-mf <43963496+chi-mf@users.noreply.github.com>
Date: 2018-10-30 04:48:40 +0000
Fix netdb exchange with a TLS cache_peer (#307)
Squid uses http-scheme URLs when sending netdb exchange (and possibly
other) requests to a cache_peer. If a DIRECT path is selected for that
cache_peer URL, then Squid sends a clear text HTTP request to that
cache_peer. If that cache_peer expects a TLS connection, it will reject
that request (with, e.g., error:transaction-end-before-headers),
resulting in an HTTP 503 or 504 netdb fetch error.
Workaround this by adding an internalRemoteUri() parameter to indicate
whether https or http URL scheme should be used. Netdb fetches from
CachePeer::secure peers now get an https scheme and, hence, a TLS
connection.
diff --git a/src/icmp/net_db.cc b/src/icmp/net_db.cc
index 0f488de..526093f 100644
--- a/src/icmp/net_db.cc
+++ b/src/icmp/net_db.cc
@@ -1282,7 +1282,7 @@ netdbExchangeStart(void *data)
#if USE_ICMP
CachePeer *p = (CachePeer *)data;
static const SBuf netDB("netdb");
- char *uri = internalRemoteUri(p->host, p->http_port, "/squid-internal-dynamic/", netDB);
+ char *uri = internalRemoteUri(p->secure.encryptTransport, p->host, p->http_port, "/squid-internal-dynamic/", netDB);
debugs(38, 3, "Requesting '" << uri << "'");
const MasterXaction::Pointer mx = new MasterXaction(XactionInitiator::initIcmp);
HttpRequest *req = HttpRequest::FromUrl(uri, mx);
diff --git a/src/internal.cc b/src/internal.cc
index 6ebc7a6..ff7b4d6 100644
--- a/src/internal.cc
+++ b/src/internal.cc
@@ -82,7 +82,7 @@ internalStaticCheck(const SBuf &urlPath)
* makes internal url with a given host and port (remote internal url)
*/
char *
-internalRemoteUri(const char *host, unsigned short port, const char *dir, const SBuf &name)
+internalRemoteUri(bool encrypt, const char *host, unsigned short port, const char *dir, const SBuf &name)
{
static char lc_host[SQUIDHOSTNAMELEN];
assert(host && !name.isEmpty());
@@ -115,7 +115,7 @@ internalRemoteUri(const char *host, unsigned short port, const char *dir, const
static MemBuf mb;
mb.reset();
- mb.appendf("http://" SQUIDSBUFPH, SQUIDSBUFPRINT(tmp.authority()));
+ mb.appendf("%s://" SQUIDSBUFPH, encrypt ? "https" : "http", SQUIDSBUFPRINT(tmp.authority()));
if (dir)
mb.append(dir, strlen(dir));
@@ -132,7 +132,10 @@ internalRemoteUri(const char *host, unsigned short port, const char *dir, const
char *
internalLocalUri(const char *dir, const SBuf &name)
{
- return internalRemoteUri(getMyHostname(),
+ // XXX: getMy*() may return https_port info, but we force http URIs
+ // because we have not checked whether the callers can handle https.
+ const bool secure = false;
+ return internalRemoteUri(secure, getMyHostname(),
getMyPort(), dir, name);
}
diff --git a/src/internal.h b/src/internal.h
index c91f9ac..13a43a6 100644
--- a/src/internal.h
+++ b/src/internal.h
@@ -24,7 +24,7 @@ void internalStart(const Comm::ConnectionPointer &clientConn, HttpRequest *, Sto
bool internalCheck(const SBuf &urlPath);
bool internalStaticCheck(const SBuf &urlPath);
char *internalLocalUri(const char *dir, const SBuf &name);
-char *internalRemoteUri(const char *, unsigned short, const char *, const SBuf &);
+char *internalRemoteUri(bool, const char *, unsigned short, const char *, const SBuf &);
const char *internalHostname(void);
int internalHostnameIs(const char *);
diff --git a/src/peer_digest.cc b/src/peer_digest.cc
index 36a8705..f515aaa 100644
--- a/src/peer_digest.cc
+++ b/src/peer_digest.cc
@@ -323,7 +323,7 @@ peerDigestRequest(PeerDigest * pd)
if (p->digest_url)
url = xstrdup(p->digest_url);
else
- url = xstrdup(internalRemoteUri(p->host, p->http_port, "/squid-internal-periodic/", SBuf(StoreDigestFileName)));
+ url = xstrdup(internalRemoteUri(p->secure.encryptTransport, p->host, p->http_port, "/squid-internal-periodic/", SBuf(StoreDigestFileName)));
debugs(72, 2, url);
const MasterXaction::Pointer mx = new MasterXaction(XactionInitiator::initCacheDigest);

22
src/patches/squid/02_Maintenance_add_xz_tarball_format_formally_to_make_dist_325.patch
View File

@@ -1,22 +0,0 @@
commit 3c23ae8c7431344f8fc50bb5ee8f4b56d08c10a4
Author: Amos Jeffries <yadij@users.noreply.github.com>
Date: 2018-11-11 04:29:58 +0000
Maintenance: add .xz tarball format formally to make dist (#325)
Automake can now handle generating this format itself and the
experiments of providing it for downstream have gone well.
diff --git a/configure.ac b/configure.ac
index 3f8af6d..f668567 100644
--- a/configure.ac
+++ b/configure.ac
@@ -10,7 +10,7 @@ AC_PREREQ(2.61)
AC_CONFIG_HEADERS([include/autoconf.h])
AC_CONFIG_AUX_DIR(cfgaux)
AC_CONFIG_SRCDIR([src/main.cc])
-AM_INIT_AUTOMAKE([tar-ustar nostdinc subdir-objects])
+AM_INIT_AUTOMAKE([tar-ustar nostdinc subdir-objects dist-xz])
AC_REVISION($Revision$)dnl
AC_PREFIX_DEFAULT(/usr/local/squid)
AM_MAINTAINER_MODE

132
src/patches/squid/03_The_handshake_logformat_code_331.patch
View File

@@ -1,132 +0,0 @@
commit 0022167d80725513d95b38aaebc90086fc0b6938 (tag: refs/tags/M-staged-PR331, refs/remotes/origin/v4)
Author: Christos Tsantilas <christos@chtsanti.net>
Date: 2018-11-14 15:17:06 +0000
The %>handshake logformat code (#331)
Logging client "handshake" bytes is useful in at least two contexts:
* Runtime traffic bypass and bumping/splicing decisions. Identifying
popular clients like Skype for Business (that uses a TLS handshake but
then may not speak TLS) is critical for handling their traffic
correctly. Squid does not have enough ACLs to interrogate most TLS
handshake aspects. Adding more ACLs may still be a good idea, but
initial sketches for SfB handshakes showed rather complex
ACLs/configurations, _and_ no reasonable ACLs would be able to handle
non-TLS handshakes. An external ACL receiving the handshake is in a
much better position to analyze/fingerprint it according to custom
admin needs.
* A logged handshake can be used to analyze new/unusual traffic or even
trigger security-related alarms.
The current support is limited to cases where Squid was saving handshake
for other reasons. With enough demand, this initial support can be
extended to all protocols and port configurations.
This is a Measurement Factory project.
diff --git a/src/cf.data.pre b/src/cf.data.pre
index fa8af56..a8ca587 100644
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -4394,6 +4394,37 @@ DOC_START
<qos Server connection TOS/DSCP value set by Squid
<nfmark Server connection netfilter mark set by Squid
+ >handshake Raw client handshake
+ Initial client bytes received by Squid on a newly
+ accepted TCP connection or inside a just established
+ CONNECT tunnel. Squid stops accumulating handshake
+ bytes as soon as the handshake parser succeeds or
+ fails (determining whether the client is using the
+ expected protocol).
+
+ For HTTP clients, the handshake is the request line.
+ For TLS clients, the handshake consists of all TLS
+ records up to and including the TLS record that
+ contains the last byte of the first ClientHello
+ message. For clients using an unsupported protocol,
+ this field contains the bytes received by Squid at the
+ time of the handshake parsing failure.
+
+ See the on_unsupported_protocol directive for more
+ information on Squid handshake traffic expectations.
+
+ Current support is limited to these contexts:
+ - http_port connections, but only when the
+ on_unsupported_protocol directive is in use.
+ - https_port connections (and CONNECT tunnels) that
+ are subject to the ssl_bump peek or stare action.
+
+ To protect binary handshake data, this field is always
+ base64-encoded (RFC 4648 Section 4). If logformat
+ field encoding is configured, that encoding is applied
+ on top of base64. Otherwise, the computed base64 value
+ is recorded as is.
+
Time related format codes:
ts Seconds since epoch
diff --git a/src/format/ByteCode.h b/src/format/ByteCode.h
index ad230bb..a6f8fd9 100644
--- a/src/format/ByteCode.h
+++ b/src/format/ByteCode.h
@@ -46,6 +46,8 @@ typedef enum {
LFT_CLIENT_LOCAL_TOS,
LFT_CLIENT_LOCAL_NFMARK,
+ LFT_CLIENT_HANDSHAKE,
+
/* client connection local squid.conf details */
LFT_LOCAL_LISTENING_IP,
LFT_LOCAL_LISTENING_PORT,
diff --git a/src/format/Format.cc b/src/format/Format.cc
index c1e19b4..8fd6720 100644
--- a/src/format/Format.cc
+++ b/src/format/Format.cc
@@ -8,6 +8,7 @@
#include "squid.h"
#include "AccessLogEntry.h"
+#include "base64.h"
#include "client_side.h"
#include "comm/Connection.h"
#include "err_detail_type.h"
@@ -547,6 +548,24 @@ Format::Format::assemble(MemBuf &mb, const AccessLogEntry::Pointer &al, int logS
}
break;
+ case LFT_CLIENT_HANDSHAKE:
+ if (al->request && al->request->clientConnectionManager.valid()) {
+ const auto &handshake = al->request->clientConnectionManager->preservedClientData;
+ if (const auto rawLength = handshake.length()) {
+ // add 1 byte to optimize the c_str() conversion below
+ char *buf = sb.rawAppendStart(base64_encode_len(rawLength) + 1);
+
+ struct base64_encode_ctx ctx;
+ base64_encode_init(&ctx);
+ auto encLength = base64_encode_update(&ctx, buf, rawLength, reinterpret_cast<const uint8_t*>(handshake.rawContent()));
+ encLength += base64_encode_final(&ctx, buf + encLength);
+
+ sb.rawAppendFinish(buf, encLength);
+ out = sb.c_str();
+ }
+ }
+ break;
+
case LFT_TIME_SECONDS_SINCE_EPOCH:
// some platforms store time in 32-bit, some 64-bit...
outoff = static_cast<int64_t>(current_time.tv_sec);
diff --git a/src/format/Token.cc b/src/format/Token.cc
index 186ade5..06c60cf 100644
--- a/src/format/Token.cc
+++ b/src/format/Token.cc
@@ -141,6 +141,7 @@ static TokenTableEntry TokenTableMisc[] = {
TokenTableEntry("<qos", LFT_SERVER_LOCAL_TOS),
TokenTableEntry(">nfmark", LFT_CLIENT_LOCAL_NFMARK),
TokenTableEntry("<nfmark", LFT_SERVER_LOCAL_NFMARK),
+ TokenTableEntry(">handshake", LFT_CLIENT_HANDSHAKE),
TokenTableEntry("err_code", LFT_SQUID_ERROR ),
TokenTableEntry("err_detail", LFT_SQUID_ERROR_DETAIL ),
TokenTableEntry("note", LFT_NOTE ),

4
src/patches/squid/squid-4.4-fix-max-file-descriptors.patch → src/patches/squid/squid-4.5-fix-max-file-descriptors.patch
View File

@@ -1,6 +1,6 @@
--- configure.ac.~ Wed Apr 20 14:26:07 2016
+++ configure.ac Fri Apr 22 17:20:46 2016
@@ -3156,6 +3156,9 @@
@@ -3160,6 +3160,9 @@
;;
esac
@@ -10,7 +10,7 @@
dnl --with-maxfd present for compatibility with Squid-2.
dnl undocumented in ./configure --help to encourage using the Squid-3 directive
AC_ARG_WITH(maxfd,,
@@ -3186,8 +3189,6 @@
@@ -3190,8 +3193,6 @@
esac
])

12
src/patches/tar/01_extract.c.patch Normal file
View File

@@ -0,0 +1,12 @@
--- tar-1.31/src/extract.c 2019-01-02 18:07:48.000000000 +0000
+++ tar-1.31.patched/src/extract.c 2019-01-09 16:17:20.368612005 +0000
@@ -782,7 +782,8 @@
case OVERWRITE_OLD_FILES:
if (0 < remove_any_file (file_name, ORDINARY_REMOVE_OPTION))
return RECOVER_OK;
- break;
+ errno = e;
+ return RECOVER_NO;
case UNLINK_FIRST_OLD_FILES:
break;

261
src/patches/transmission-2.92-openssl-1.1.0.patch
View File

@@ -1,261 +0,0 @@
From f91cf5ad8c677b61ceb0bf5877b87f9e93256dd7 Mon Sep 17 00:00:00 2001
From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Mon, 5 Sep 2016 21:49:07 +0000
Subject: [PATCH] transmission: build against openssl 1.1.0
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
---
libtransmission/crypto-utils-openssl.c | 73 ++++++++++++++++++++++++++++++++--
1 file changed, 69 insertions(+), 4 deletions(-)
diff --git a/libtransmission/crypto-utils-openssl.c b/libtransmission/crypto-utils-openssl.c
index c4539dc..972e24a 100644
--- a/libtransmission/crypto-utils-openssl.c
+++ b/libtransmission/crypto-utils-openssl.c
@@ -229,6 +229,61 @@ tr_rc4_process (tr_rc4_ctx_t handle,
****
***/
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+static inline int
+DH_set0_pqg (DH * dh,
+ BIGNUM * p,
+ BIGNUM * q,
+ BIGNUM * g)
+{
+ /* If the fields p and g in d are NULL, the corresponding input
+ * parameters MUST be non-NULL. q may remain NULL.
+ */
+ if ((dh->p == NULL && p == NULL)
+ || (dh->g == NULL && g == NULL))
+ return 0;
+
+ if (p != NULL) {
+ BN_free (dh->p);
+ dh->p = p;
+ }
+ if (q != NULL) {
+ BN_free (dh->q);
+ dh->q = q;
+ }
+ if (g != NULL) {
+ BN_free (dh->g);
+ dh->g = g;
+ }
+
+ if (q != NULL) {
+ dh->length = BN_num_bits (q);
+ }
+
+ return 1;
+}
+
+static inline int
+DH_set_length (DH * dh,
+ long length)
+{
+ dh->length = length;
+ return 1;
+}
+
+static inline void
+DH_get0_key(const DH * dh,
+ const BIGNUM ** pub_key,
+ const BIGNUM ** priv_key)
+{
+ if (pub_key != NULL)
+ *pub_key = dh->pub_key;
+ if (priv_key != NULL)
+ *priv_key = dh->priv_key;
+}
+
+#endif
+
tr_dh_ctx_t
tr_dh_new (const uint8_t * prime_num,
size_t prime_num_length,
@@ -236,13 +291,19 @@ tr_dh_new (const uint8_t * prime_num,
size_t generator_num_length)
{
DH * handle = DH_new ();
+ BIGNUM * p, * g;
assert (prime_num != NULL);
assert (generator_num != NULL);
+ p = BN_bin2bn (prime_num, prime_num_length, NULL);
+ g = BN_bin2bn (generator_num, generator_num_length, NULL);
- if (!check_pointer (handle->p = BN_bin2bn (prime_num, prime_num_length, NULL)) ||
- !check_pointer (handle->g = BN_bin2bn (generator_num, generator_num_length, NULL)))
+ if (!check_pointer (p) ||
+ !check_pointer (g) ||
+ !DH_set0_pqg (handle, p, NULL, g))
{
+ BN_free (p);
+ BN_free (g);
DH_free (handle);
handle = NULL;
}
@@ -267,16 +328,20 @@ tr_dh_make_key (tr_dh_ctx_t raw_handle,
{
DH * handle = raw_handle;
int dh_size, my_public_key_length;
+ const BIGNUM * hand_pub_key;
assert (handle != NULL);
assert (public_key != NULL);
- handle->length = private_key_length * 8;
+
+ DH_set_length(handle, private_key_length * 8);
if (!check_result (DH_generate_key (handle)))
return false;
- my_public_key_length = BN_bn2bin (handle->pub_key, public_key);
+ DH_get0_key (handle, &hand_pub_key, NULL);
+
+ my_public_key_length = BN_bn2bin (hand_pub_key, public_key);
dh_size = DH_size (handle);
tr_dh_align_key (public_key, my_public_key_length, dh_size);
From 8c8386a7f3f482a9c917f51d28e0042e55f56b3e Mon Sep 17 00:00:00 2001
From: Mike Gelfand <mikedld@mikedld.com>
Date: Wed, 7 Sep 2016 01:09:04 +0300
Subject: [PATCH] Fix coding style and building with !TR_LIGHTWEIGHT
---
libtransmission/crypto-utils-openssl.c | 60 +++++++++++++++++++---------------
1 file changed, 33 insertions(+), 27 deletions(-)
diff --git a/libtransmission/crypto-utils-openssl.c b/libtransmission/crypto-utils-openssl.c
index 972e24a..9fd2c58 100644
--- a/libtransmission/crypto-utils-openssl.c
+++ b/libtransmission/crypto-utils-openssl.c
@@ -14,6 +14,7 @@
#include <assert.h>
#include <openssl/bn.h>
+#include <openssl/crypto.h>
#include <openssl/dh.h>
#include <openssl/err.h>
#include <openssl/evp.h>
@@ -48,7 +49,12 @@ log_openssl_error (const char * file,
static bool strings_loaded = false;
if (!strings_loaded)
{
+#if OPENSSL_VERSION_NUMBER < 0x10100000
ERR_load_crypto_strings ();
+#else
+ OPENSSL_init_crypto (OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
+#endif
+
strings_loaded = true;
}
#endif
@@ -230,6 +236,7 @@ tr_rc4_process (tr_rc4_ctx_t handle,
***/
#if OPENSSL_VERSION_NUMBER < 0x10100000
+
static inline int
DH_set0_pqg (DH * dh,
BIGNUM * p,
@@ -237,28 +244,29 @@ DH_set0_pqg (DH * dh,
BIGNUM * g)
{
/* If the fields p and g in d are NULL, the corresponding input
- * parameters MUST be non-NULL. q may remain NULL.
+ * parameters MUST be non-NULL. q may remain NULL.
*/
- if ((dh->p == NULL && p == NULL)
- || (dh->g == NULL && g == NULL))
+ if ((dh->p == NULL && p == NULL) || (dh->g == NULL && g == NULL))
return 0;
- if (p != NULL) {
- BN_free (dh->p);
- dh->p = p;
- }
- if (q != NULL) {
- BN_free (dh->q);
- dh->q = q;
- }
- if (g != NULL) {
- BN_free (dh->g);
- dh->g = g;
- }
-
- if (q != NULL) {
+ if (p != NULL)
+ {
+ BN_free (dh->p);
+ dh->p = p;
+ }
+ if (q != NULL)
+ {
+ BN_free (dh->q);
+ dh->q = q;
+ }
+ if (g != NULL)
+ {
+ BN_free (dh->g);
+ dh->g = g;
+ }
+
+ if (q != NULL)
dh->length = BN_num_bits (q);
- }
return 1;
}
@@ -267,8 +275,8 @@ static inline int
DH_set_length (DH * dh,
long length)
{
- dh->length = length;
- return 1;
+ dh->length = length;
+ return 1;
}
static inline void
@@ -295,12 +303,11 @@ tr_dh_new (const uint8_t * prime_num,
assert (prime_num != NULL);
assert (generator_num != NULL);
+
p = BN_bin2bn (prime_num, prime_num_length, NULL);
g = BN_bin2bn (generator_num, generator_num_length, NULL);
- if (!check_pointer (p) ||
- !check_pointer (g) ||
- !DH_set0_pqg (handle, p, NULL, g))
+ if (!check_pointer (p) || !check_pointer (g) || !DH_set0_pqg (handle, p, NULL, g))
{
BN_free (p);
BN_free (g);
@@ -328,20 +335,19 @@ tr_dh_make_key (tr_dh_ctx_t raw_handle,
{
DH * handle = raw_handle;
int dh_size, my_public_key_length;
- const BIGNUM * hand_pub_key;
+ const BIGNUM * my_public_key;
assert (handle != NULL);
assert (public_key != NULL);
-
DH_set_length(handle, private_key_length * 8);
if (!check_result (DH_generate_key (handle)))
return false;
- DH_get0_key (handle, &hand_pub_key, NULL);
+ DH_get0_key (handle, &my_public_key, NULL);
- my_public_key_length = BN_bn2bin (hand_pub_key, public_key);
+ my_public_key_length = BN_bn2bin (my_public_key, public_key);
dh_size = DH_size (handle);
tr_dh_align_key (public_key, my_public_key_length, dh_size);

89
src/scripts/xt_geoip_build
View File

@@ -1,89 +0,0 @@
#!/usr/bin/perl
#
# Converter for MaxMind CSV database to binary, for xt_geoip
# Copyright © Jan Engelhardt, 2008-2011
#
use Getopt::Long;
use IO::Handle;
use Text::CSV_XS; # or trade for Text::CSV
use strict;
my $csv = Text::CSV_XS->new({
allow_whitespace => 1,
binary => 1,
eol => $/,
}); # or Text::CSV
my $target_dir = ".";
&Getopt::Long::Configure(qw(bundling));
&GetOptions(
"D=s" => \$target_dir,
);
if (!-d $target_dir) {
print STDERR "Target directory $target_dir does not exist.\n";
exit 1;
}
my $dir = "$target_dir/LE";
if (!-e $dir && !mkdir($dir)) {
print STDERR "Could not mkdir $dir: $!\n";
exit 1;
}
&dump(&collect());
sub collect
{
my %country;
while (my $row = $csv->getline(*ARGV)) {
if (!defined($country{$row->[4]})) {
$country{$row->[4]} = {
name => $row->[5],
pool_v4 => [],
pool_v6 => [],
};
}
my $c = $country{$row->[4]};
push(@{$c->{pool_v4}}, [$row->[2], $row->[3]]);
if ($. % 4096 == 0) {
print STDERR "\r\e[2K$. entries";
}
}
print STDERR "\r\e[2K$. entries total\n";
return \%country;
}
sub dump
{
my $country = shift @_;
foreach my $iso_code (sort keys %$country) {
&dump_one($iso_code, $country->{$iso_code});
}
}
sub dump_one
{
my($iso_code, $country) = @_;
my($file, $fh_le, $fh_be);
printf "%5u IPv4 ranges for %s %s\n",
scalar(@{$country->{pool_v4}}),
$iso_code, $country->{name};
$file = "$target_dir/LE/".uc($iso_code).".iv4";
if (!open($fh_le, "> $file")) {
print STDERR "Error opening $file: $!\n";
exit 1;
}
foreach my $range (@{$country->{pool_v4}}) {
print $fh_le pack("VV", $range->[0], $range->[1]);
#print $fh_be pack("NN", $range->[0], $range->[1]);
}
close $fh_le;
}

73
src/scripts/xt_geoip_update
View File

@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
# Copyright (C) 2014 IPFire Development Team <info@ipfire.org> #
# Copyright (C) 2019 IPFire Development Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -24,13 +24,10 @@ TMP_FILE=$(mktemp -p $TMP_PATH)
SCRIPT_PATH=/usr/local/bin
DEST_PATH=/usr/share/xt_geoip
DB_PATH=/var/lib/GeoIP
DL_URL=https://geolite.maxmind.com/download/geoip/database
DL_FILE=GeoIPCountryCSV.zip
CSV_FILE=GeoIPCountryWhois.csv
ARCH=LE
DL_URL=http://geolite.maxmind.com/download/geoip/database
DL_FILE=GeoLite2-Country-CSV.zip
eval $(/usr/local/bin/readhash /var/ipfire/proxy/settings)
@@ -57,24 +54,40 @@ function download() {
# Get the latest GeoIP database from server.
wget $DL_URL/$DL_FILE $PROXYSETTINGS -O $TMP_FILE
# Extract files.
# Extract files to database path.
unzip $TMP_FILE -d $TMP_PATH
return 0
}
function install() {
echo "Install CSV database..."
# Check if the database dir exists.
if [ ! -e "$DB_PATH" ]; then
mkdir -p $DB_PATH &>/dev/null
fi
# Check if the directory for binary databases exists.
if [ ! -e "$DEST_PATH" ]; then
mkdir -p $DEST_PATH &>/dev/null
fi
# Install CSV databases.
if ! cp -af $TMP_PATH/*/* $DB_PATH &>/dev/null; then
echo "Could not copy files. Aborting." >&2
return 1
fi
return 0
}
function build() {
echo "Convert database..."
# Check if the csv file exists.
if [ ! -e $TMP_PATH/$CSV_FILE ]; then
echo "$TMP_PATH/$CSV_FILE not found. Exiting."
return 1
fi
# Run script to convert the CSV file into several xtables
# compatible binary files.
if ! $SCRIPT_PATH/xt_geoip_build $TMP_PATH/$CSV_FILE -D $TMP_PATH; then
if ! $SCRIPT_PATH/xt_geoip_build -S $DB_PATH -D $DEST_PATH; then
echo "Could not convert ruleset. Aborting." >&2
return 1
fi
@@ -82,23 +95,6 @@ function build() {
return 0
}
function install() {
echo "Install databases..."
# Check if our destination exist.
if [ ! -e "$DEST_PATH" ]; then
mkdir -p $DEST_PATH &>/dev/null
fi
# Install databases.
if ! cp -af $TMP_PATH/$ARCH $DEST_PATH &>/dev/null; then
echo "Could not copy files. Aborting." >&2
return 1
fi
return 0
}
function cleanup() {
echo "Cleaning up temporary files..."
if ! rm -rf $TMP_PATH &>/dev/null; then
@@ -113,23 +109,18 @@ function main() {
# Download ruleset.
download || exit $?
# Convert the ruleset.
if ! build; then
# Do cleanup.
cleanup || exit $?
exit 1
fi
# Install the converted ruleset.
if ! install; then
# Do cleanup.
cleanup || exit $?
exit 1
fi
# Finaly remove temporary files.
# Remove temporary files.
cleanup || exit $?
# Convert the ruleset.
build || exit $?
return 0
}