webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-19 07:23:03 +02:00
Code Issues Packages Projects Releases Wiki Activity

strongswan: Update to 5.3.0

Browse Source 
Enable support for CCM and CTR
This commit is contained in:
Michael Tremer
2015-03-31 00:55:21 +02:00
parent 5b3bd19f31
commit df5fbff531
7 changed files with 34 additions and 188 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
config/rootfiles/common/strongswan
View File

@@ -16,8 +16,10 @@ etc/strongswan.d/charon-logging.conf
etc/strongswan.d/charon.conf
etc/strongswan.d/charon/aes.conf
etc/strongswan.d/charon/attr.conf
etc/strongswan.d/charon/ccm.conf
etc/strongswan.d/charon/cmac.conf
etc/strongswan.d/charon/constraints.conf
etc/strongswan.d/charon/ctr.conf
etc/strongswan.d/charon/curl.conf
etc/strongswan.d/charon/des.conf
etc/strongswan.d/charon/dhcp.conf
@@ -94,8 +96,10 @@ usr/lib/ipsec/libtls.so.0.0.0
#usr/lib/ipsec/plugins
usr/lib/ipsec/plugins/libstrongswan-aes.so
usr/lib/ipsec/plugins/libstrongswan-attr.so
usr/lib/ipsec/plugins/libstrongswan-ccm.so
usr/lib/ipsec/plugins/libstrongswan-cmac.so
usr/lib/ipsec/plugins/libstrongswan-constraints.so
usr/lib/ipsec/plugins/libstrongswan-ctr.so
usr/lib/ipsec/plugins/libstrongswan-curl.so
usr/lib/ipsec/plugins/libstrongswan-dhcp.so
usr/lib/ipsec/plugins/libstrongswan-des.so
@@ -175,8 +179,10 @@ usr/sbin/ipsec
#usr/share/strongswan/templates/config/plugins
#usr/share/strongswan/templates/config/plugins/aes.conf
#usr/share/strongswan/templates/config/plugins/attr.conf
#usr/share/strongswan/templates/config/plugins/ccm.conf
#usr/share/strongswan/templates/config/plugins/cmac.conf
#usr/share/strongswan/templates/config/plugins/constraints.conf
#usr/share/strongswan/templates/config/plugins/ctr.conf
#usr/share/strongswan/templates/config/plugins/curl.conf
#usr/share/strongswan/templates/config/plugins/des.conf
#usr/share/strongswan/templates/config/plugins/dhcp.conf

12
lfs/strongswan
View File

@@ -24,7 +24,7 @@
include Config
VER = 5.2.2
VER = 5.3.0
THISAPP = strongswan-$(VER)
DL_FILE = $(THISAPP).tar.bz2
@@ -48,7 +48,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = 7ee1a33060b2bde35be0f6d78a1d26d0
$(DL_FILE)_MD5 = c52d4228231c2025d9c320d0e9990327
install : $(TARGET)
@@ -78,11 +78,7 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.0.2_ipfire.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.2.2-issue-816-eb25190.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.2.2-issue-816-650a3ad.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.2.2-issue-816-dd0ebb.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-5.2.2-issue-819-cd2c30a.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire.patch
cd $(DIR_APP) && [ -x "configure" ] || ./autogen.sh
cd $(DIR_APP) && ./configure \
@@ -93,6 +89,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
--enable-farp \
--enable-openssl \
--enable-gcrypt \
--enable-ccm \
--enable-ctr \
--enable-gcm \
--enable-xauth-eap \
--enable-xauth-noauth \

35
src/patches/strongswan-5.2.2-issue-816-650a3ad.patch
View File

@@ -1,35 +0,0 @@
commit 650a3ad5151958b99a95836fb8b84b8aa18da1be
Author: Tobias Brunner <tobias@strongswan.org>
Date: Wed Feb 25 08:09:11 2015 +0100
ike-sa-manager: Make sure the message ID of initial messages is 0
It is mandated by the RFCs and it is expected by the task managers.
Initial messages with invalid MID will be treated like regular messages,
so no IKE_SA will be created for them. Instead, if the responder SPI is 0
no SA will be found and the message is rejected with ALERT_INVALID_IKE_SPI.
If an SPI is set and we do find an SA, then we either ignore the message
because the MID is unexpected, or because we don't allow initial messages
on established connections.
There is one exception, though, if an attacker can slip in an IKE_SA_INIT
with both SPIs set before the client's IKE_AUTH is handled by the server,
it does get processed (see next commit).
References #816.
diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index d0cbd47..5e2b925 100644
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -1184,7 +1184,8 @@ METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
DBG2(DBG_MGR, "checkout IKE_SA by message");
- if (id->get_responder_spi(id) == 0)
+ if (id->get_responder_spi(id) == 0 &&
+ message->get_message_id(message) == 0)
{
if (message->get_major_version(message) == IKEV2_MAJOR_VERSION)
{

42
src/patches/strongswan-5.2.2-issue-816-dd0ebb.patch
View File

@@ -1,42 +0,0 @@
commit dd0ebb54837298c869389d36a0b42eefdb893dd6
Author: Tobias Brunner <tobias@strongswan.org>
Date: Wed Feb 25 08:30:33 2015 +0100
ikev2: Only accept initial messages in specific states
The previous code allowed an attacker to slip in an IKE_SA_INIT with
both SPIs and MID 1 set when an IKE_AUTH would be expected instead.
References #816.
diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
index be84e71..540d4dc 100644
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -1304,17 +1304,16 @@ METHOD(task_manager_t, process_message, status_t,
{
if (mid == this->responding.mid)
{
- /* reject initial messages once established */
- if (msg->get_exchange_type(msg) == IKE_SA_INIT ||
- msg->get_exchange_type(msg) == IKE_AUTH)
+ /* reject initial messages if not received in specific states */
+ if ((msg->get_exchange_type(msg) == IKE_SA_INIT &&
+ this->ike_sa->get_state(this->ike_sa) != IKE_CREATED) ||
+ (msg->get_exchange_type(msg) == IKE_AUTH &&
+ this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING))
{
- if (this->ike_sa->get_state(this->ike_sa) != IKE_CREATED &&
- this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
- {
- DBG1(DBG_IKE, "ignoring %N in established IKE_SA state",
- exchange_type_names, msg->get_exchange_type(msg));
- return FAILED;
- }
+ DBG1(DBG_IKE, "ignoring %N in IKE_SA state %N",
+ exchange_type_names, msg->get_exchange_type(msg),
+ ike_sa_state_names, this->ike_sa->get_state(this->ike_sa));
+ return FAILED;
}
if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
{ /* with MOBIKE, we do no implicit updates */

31
src/patches/strongswan-5.2.2-issue-816-eb25190.patch
View File

@@ -1,31 +0,0 @@
commit eb251906298b529fa53b8a99746a9a7a9f318dd5
Author: Tobias Brunner <tobias@strongswan.org>
Date: Wed Feb 25 08:18:58 2015 +0100
ikev2: Don't destroy the SA if an IKE_SA_INIT with unexpected MID is received
This reverts 8f727d800751 ("Clean up IKE_SA state if IKE_SA_INIT request
does not have message ID 0") because it allowed to close any IKE_SA by
sending an IKE_SA_INIT with an unexpected MID and both SPIs set to those
of that SA.
The next commit will prevent SAs from getting created for IKE_SA_INIT messages
with invalid MID.
Fixes #816.
diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
index 48266aa..be84e71 100644
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -1355,10 +1355,6 @@ METHOD(task_manager_t, process_message, status_t,
{
DBG1(DBG_IKE, "received message ID %d, expected %d. Ignored",
mid, this->responding.mid);
- if (msg->get_exchange_type(msg) == IKE_SA_INIT)
- { /* clean up IKE_SA state if IKE_SA_INIT has invalid msg ID */
- return DESTROY_ME;
- }
}
}
else

50
src/patches/strongswan-5.2.2-issue-819-cd2c30a.patch
View File

@@ -1,50 +0,0 @@
From cd2c30a56ec9bdab8b3923851509f27a4fd6f537 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 10 Feb 2015 19:03:44 +0100
Subject: [PATCH] ikev1: Set protocol ID and SPIs in INITIAL-CONTACT
notification payloads
The payload we sent before is not compliant with RFC 2407 and thus some
peers might abort negotiation (e.g. with an INVALID-PROTOCOL-ID error).
#819
---
src/libcharon/sa/ikev1/tasks/main_mode.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/src/libcharon/sa/ikev1/tasks/main_mode.c b/src/libcharon/sa/ikev1/tasks/main_mode.c
index 5065e70..3ea4a2a 100644
--- a/src/libcharon/sa/ikev1/tasks/main_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/main_mode.c
@@ -213,6 +213,10 @@ static void add_initial_contact(private_main_mode_t *this, message_t *message,
{
identification_t *idr;
host_t *host;
+ notify_payload_t *notify;
+ ike_sa_id_t *ike_sa_id;
+ u_int64_t spi_i, spi_r;
+ chunk_t spi;
idr = this->ph1->get_id(this->ph1, this->peer_cfg, FALSE);
if (idr && !idr->contains_wildcards(idr))
@@ -224,8 +228,15 @@ static void add_initial_contact(private_main_mode_t *this, message_t *message,
if (!charon->ike_sa_manager->has_contact(charon->ike_sa_manager,
idi, idr, host->get_family(host)))
{
- message->add_notify(message, FALSE, INITIAL_CONTACT_IKEV1,
- chunk_empty);
+ notify = notify_payload_create_from_protocol_and_type(
+ PLV1_NOTIFY, PROTO_IKE, INITIAL_CONTACT_IKEV1);
+ ike_sa_id = this->ike_sa->get_id(this->ike_sa);
+ spi_i = ike_sa_id->get_initiator_spi(ike_sa_id);
+ spi_r = ike_sa_id->get_responder_spi(ike_sa_id);
+ spi = chunk_cata("cc", chunk_from_thing(spi_i),
+ chunk_from_thing(spi_r));
+ notify->set_spi_data(notify, spi);
+ message->add_payload(message, (payload_t*)notify);
}
}
}
--
1.7.9.5

46
src/patches/strongswan-5.0.2_ipfire.patch → src/patches/strongswan-ipfire.patch
View File

@@ -1,8 +1,8 @@
--- a/src/_updown/_updown.in
+++ b/src/_updown/_updown.in
@@ -178,6 +178,29 @@
;;
esac
--- strongswan-5.3.0/src/_updown/_updown.in.old 2015-03-17 18:17:43.000000000 +0000
+++ strongswan-5.3.0/src/_updown/_updown.in 2015-03-30 22:48:27.084030719 +0000
@@ -122,6 +122,29 @@
# address family.
#
+function ip_encode() {
+ local IFS=.
@@ -27,10 +27,10 @@
+ [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) ))
+}
+
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
@@ -407,12 +430,12 @@
# define a minimum PATH environment in case it is not set
PATH="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@"
export PATH
@@ -232,12 +255,12 @@
# connection to me, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
@@ -46,7 +46,7 @@
#
# allow IPIP traffic because of the implicit SA created by the kernel if
# IPComp is used (for small inbound packets that are not compressed)
@@ -428,10 +451,10 @@
@@ -253,10 +276,10 @@
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
@@ -59,7 +59,7 @@
fi
fi
;;
@@ -439,12 +462,12 @@
@@ -264,12 +287,12 @@
# connection to me, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
@@ -75,7 +75,7 @@
#
# IPIP exception teardown
if [ -n "$PLUTO_IPCOMP" ]
@@ -459,10 +482,10 @@
@@ -284,10 +307,10 @@
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
@@ -88,7 +88,7 @@
fi
fi
;;
@@ -472,24 +495,24 @@
@@ -297,24 +320,24 @@
# ones, so do not mess with it; see CAUTION comment up at top.
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
then
@@ -121,7 +121,7 @@
fi
#
# allow IPIP traffic because of the implicit SA created by the kernel if
@@ -497,7 +520,7 @@
@@ -322,7 +345,7 @@
# INPUT is correct here even for forwarded traffic.
if [ -n "$PLUTO_IPCOMP" ]
then
@@ -130,7 +130,7 @@
-s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
fi
#
@@ -507,12 +530,51 @@
@@ -332,12 +355,51 @@
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO \
@@ -184,7 +184,7 @@
;;
down-client:iptables)
# connection to client subnet, with (left/right)firewall=yes, going down
@@ -520,34 +582,34 @@
@@ -345,34 +407,34 @@
# ones, so do not mess with it; see CAUTION comment up at top.
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
then
@@ -228,7 +228,7 @@
-s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT
fi
#
@@ -557,12 +619,51 @@
@@ -382,12 +444,51 @@
if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
then
logger -t $TAG -p $FAC_PRIO -- \
@@ -282,7 +282,7 @@
;;
#
# IPv6
@@ -597,10 +698,10 @@
@@ -412,10 +513,10 @@
# connection to me, with (left/right)firewall=yes, coming up
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
@@ -295,7 +295,7 @@
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
@@ -621,10 +722,10 @@
@@ -436,10 +537,10 @@
# connection to me, with (left/right)firewall=yes, going down
# This is used only by the default updown script, not by your custom
# ones, so do not mess with it; see CAUTION comment up at top.
@@ -308,7 +308,7 @@
-s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
#
@@ -647,10 +748,10 @@
@@ -462,10 +563,10 @@
# ones, so do not mess with it; see CAUTION comment up at top.
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
then
@@ -321,7 +321,7 @@
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
fi
@@ -659,10 +760,10 @@
@@ -474,10 +575,10 @@
# or sometimes host access via the internal IP is needed
if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
then
@@ -334,7 +334,7 @@
-s $PLUTO_MY_CLIENT $S_MY_PORT \
-d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
fi
@@ -686,11 +787,11 @@
@@ -501,11 +602,11 @@
# ones, so do not mess with it; see CAUTION comment up at top.
if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
then
@@ -348,7 +348,7 @@
-s $PLUTO_PEER_CLIENT $S_PEER_PORT \
-d $PLUTO_MY_CLIENT $D_MY_PORT \
$IPSEC_POLICY_IN -j ACCEPT
@@ -700,11 +801,11 @@
@@ -515,11 +616,11 @@
# or sometimes host access via the internal IP is needed
if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
then